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he  National  Bureau  of  Standards'  was  established  by  an  act  of  Congress  on  March  3,  1901.  The 
Bureau's  overall  goal  is  to  strengthen  and  advance  the  nation's  science  and  technology  and  facilitate 
their  effective  application  for  public  benefit.  To  this  end,  the  Bureau  conducts  research  and  provides:  (1)  a 
basis  for  the  nation's  physical  measurement  system,  (2)  scientific  and  technological  services  for  industry  and 
government,  (3)  a  technical  basis  for  equity  in  trade,  and  (4)  technical  services  to  promote  public  safety. 
The  Bureau's  technical  work  is  performed  by  the  National  Measurement  Laboratory,  the  National 
Engineering  Laboratory,  the  Institute  for  Computer  Sciences  and  Technology,  and  the  Center  for  Materials 
Science. 


The  National  Measurement  Laboratory 

Provides  the  national  system  of  physical  and  chemical  measurement; 
coordinates  the  system  with  measurement  systems  of  other  nations  and 
furnishes  essential  services  leading  to  accurate  and  uniform  physical  and 
chemical  measurement  throughout  the  Nation's  scientific  community,  in- 
dustry, and  commerce;  provides  advisory  and  research  services  to  other 
Government  agencies;  conducts  physical  and  chemical  research;  develops, 
produces,  and  distributes  Standard  Reference 'Materials;  and  provides 
calibration  services.  The  Laboratory  consists  of  the  following  centers: 


•  Basic  Standards2 

•  Radiation  Research 

•  Chemical  Physics 

•  Analytical  Chemistry 


The  National  Engineering  Laboratory 


Provides  technology  and  technical  services  to  the  public  and  private  sectors  to 
address  national  needs  and  to  solve  national  problems;  conducts  research  in 
engineering  and  applied  science  in  support  of  these  efforts;  builds  and  main- 
tains competence  in  the  necessary  disciplines  required  to  carry  out  this 
research  and  technical  service;  develops  engineering  data  and  measurement 
capabilities;  provides  engineering  measurement  traceability  services;  develops 
test  methods  and  proposes  engineering  standards  and  code  changes;  develops 
and  proposes  new  engineering  practices;  and  develops  and  improves 
mechanisms  to  transfer  results  of  its  research  to  the  ultimate  user.  The 
Laboratory  consists  of  the  following  centers: 


Applied  Mathematics 
Electronics  and  Electrical 
Engineering2 

Manufacturing  Engineering 
Building  Technology 
Fire  Research 
Chemical  Engineering2 


The  Institute  for  Computer  Sciences  and  Technology 


Conducts  research  and  provides  scientific  and  technical  services  to  aid 
Federal  agencies  in  the  selection,  acquisition,  application,  and  use  of  com- 
puter technology  to  improve  effectiveness  and  economy  in  Government 
operations  in  accordance  with  Public  Law  89-306  (40  U.S.C.  759),  relevant 
Executive  Orders,  and  other  directives;  carries  out  this  mission  by  managing 
the  Federal  Information  Processing  Standards  Program,  developing  Federal 
ADP  standards  guidelines,  and  managing  Federal  participation  in  ADP 
voluntary  standardization  activities;  provides  scientific  and  technological  ad- 
visory services  and  assistance  to  Federal  agencies;  and  provides  the  technical 
foundation  for  computer-related  policies  of  the  Federal  Government.  The  In- 
stitute consists  of  the  following  centers: 


•  Programming  Science  and 
Technology 

•  Computer  Systems 
Engineering 


The  Center  for  Materials  Science 


Conducts  research  and  provides  measurements,  data,  standards,  reference 
materials,  quantitative  understanding  and  other  technical  information  funda- 
mental to  the  processing,  structure,  properties  and  performance  of  materials; 
addresses  the  scientific  basis  for  new  advanced  materials  technologies;  plans 
research  around  cross-country  scientific  themes  such  as  nondestructive 
evaluation  and  phase  diagram  development;  oversees  Bureau-wide  technical 
programs  in  nuclear  reactor  radiation  research  and  nondestructive  evalua- 
tion; and  broadly  disseminates  generic  technical  information  resulting  from 
its  programs.  The  Center  consists  of  the  following  Divisions: 


Inorganic  Materials 

Fracture  and  Deformation3 

Polymers 

Metallurgy 

Reactor  Radiation 


'Headquarters  and  Laboratories  at  Gaithersburg,  MD,  unless  otherwise  noted;  mailing  address 
Gaithersburg,  MD  20899. 

2Some  divisions  within  the  center  are  located  at  Boulder,  CO  80303. 
3 Located  at  Boulder,  CO,  with  some  elements  at  Gaithersburg,  MD. 
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ABSTRACT 


The  proceedings  of  an  International  Workshop  held  at  the  National  Bureau  of 
Standards  on  March  27  and  28,  1984  are  presented.    The  purpose  of  the  workshop 
was  to  examine  the  application  of  risk  analysis  in  offshore  oil  and  gas 
operations.    The  proceedings  include:  an  executive  summary,  an  introduction, 
and  summary  reports  and  recommendations  of  four  Working  Groups:  Standards, 
Codes,  and  Certification;  Concept  Evaluation  and  Design;  Operation  and 
Maintenance;  and  Logistics  and  Support.    Also  included  are  theme  presentations 
on  current  practice  in  the  United  States,  Great  Britain,  and  Norway,  and  on 
current  risk  assessment  methodologies. 

Keywords:    Codes;  drilling  platforms;  gas  production;  marine  engineering;  ocean 

engineering;  offshore  platforms;  oil  production;  petroleum  engineering; 
probability  risk  analysis;  regulations;  shipping;  standards. 
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EXECUTIVE  SUMMARY 


On  March  27  and  28,  1984,  an  International  Workshop  on  "Application  of  Risk 
Analysis  to  Offshore  Oil  and  Gas  Operations"  was  held  at  the  National  Bureau 
of  Standards  (NBS),  Gaithersburg,  Maryland,  U.S.A.    The  workshop  was  organized 
by  NBS  and  sponsored  by  the  Technology  Assessment  and  Research  Branch  of  the 
Minerals  Management  Service  (MMS).    It  was  attended  by  an  invited  group  of 
experts  from  industry,  government  agencies,  the  engineering  profession,  the 
construction  industry,  labor  unions,  and  public  interest  groups. 

The  purpose  of  the  workshop  was  to  examine  the  utilization  of  risk  analysis  in 
offshore  oil  and  gas  operations.    First,  various  aspects  of  present  practice 
were  discussed  by  four  theme  speakers.    Subsequently,  four  working  groups 
convened  and  developed  position  papers  and  recommendations. 

Dr.  Floyd  Tuler  from  Worcester  Polytechnic  Institute  outlined  the  task  of  the 
Working  Groups  as  follows: 

Group  I  should  deal  with  the  application  of  risk  analysis  and  reliability 
engineering  in  the  formulation  of  standards,  codes,  and  certification 
requirements.    Risk  analysis  could  be  used  as  a  basis  for  specifications  and 
recommended  practices  and  is  in  some  instances  required  in  the  approval 
procedure  for  projects. 

Group  II  should  deal  with  the  application  of  risk  analysis  and  reliability 
engineering  techniques  to  planning,  siting,  construction,  and  maintenance  of 
offshore  facilities. 

Group  III  should  deal  with  the  application  of  risk  analysis  to  the  design, 
operation,  and  maintenance  of  offshore  production  systems. 

Group  IV  should  be  concerned  with  risk  analysis  and  reliability  engineering 
techniques  in  logistics  and  support  facilities. 

The  following  guideline  was  suggested  for  working  group  discussions  and  reports 
consider  actual  experiences;  identify  barriers  to  implementation;  identify 
appropriate  analysis  techniques;  identify  data  needs;  identify  opportunities 
for  using  risk  analysis;  identify  research  needs;  list  references. 

Dr.  Tuler  also  summarized  some  of  the  conclusions  of  a  study  he  is  conducting 
on  behalf  of  MMS  to  examine  the  possibilities  and  limitations  of  using  risk 
analysis  in  managing  offshore  safety.    The  conclusions  of  the  study  are  that: 

1.  Development  of  offshore  activities  in  the  Gulf  of  Mexico  has  been 
gradual;  use  of  risk  analysis  will  become  more  important  for  new 
environments  and  new  concepts. 

2.  Risk  analysis  can  focus  attention  on  problem  areas  where  R&D  is  needed. 

3.  Risk  analysis  can  put  discussion  of  safety  on  a  more  rational  basis. 
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The  following  limitations  to  risk  analysis  were  identified: 

1.  Risk  analysis  tends  to  focus  on  catastrophic  events  and  ignore  routine 
events. 

2.  Consequences  that  can  be  quantified  tend  to  assume  exaggerated  importance 
compared  to  those  that  remain  qualitative. 

3e  There  is  a  perception  that  risk  analysis  will  lead  to  more  stringent 
standards.  However,  there  are  examples  where  risk  analysis  leads  to 
relaxation  of  requirements. 

The  full  text  of  the  working  group  reports  is  presented  in  Section  2  of  this 

report,,     i  i,i    i   port    in   summarized  below., 


Working  Group  I,  Standards,  Codes  and  Certification 

1.  State  of  Practice 

Many  U.S.  Government  agencies    require  or  employ  risk  analysis.    During  the  mid- 
1970'  s,  MMS  commenced  requiring  use  of  API  RP  14C,  Analysis,  Design,  Installation, 
and  Testing  of  Basic  Surface  Safety  Systems  in  Offshore  Platforms.    USCG  imple- 
mented a  similar  requirement  in  1979  to  apply  to  MODU's.    The  most  comprehensive 
requirement  was  issued  by  NPD  in  1981.    Working  Group  I  found  some  resemblence 
to  the  NPD  requirements  in  the  "Requirements  to  Verify  the  Structural  Integrity 
of  OCS  Platforms"  issued  by  MMS  in  1979,  which  requires  consideration  of 
accidental  loadings  that  must  be  quantified.    API  RP  2A,  Recommended  Practice 
for  Planning,  Designing  and  Constructing  Offshore  Platforms,  also  recommends 
risk  analysis  for  platform  sites  for  which  "environmental  conditions  have  not 
been  codified." 

2.  Problem  Areas 

In  Failure  Mode  and  Effect  Analysis  (FMEA),  unless  due  care  is  exercised 
failure,  hazards,  downtime,  and  defects  tend  to  be  merged  in  the  single  yard- 
stick of  "impact",  thus  obscuring  contributing  factors. 

Human  factors  such  as  negligence  or  the  value  of  human  life  are  difficult  to 
quantify.    Even  if  data  are  generated,  they  may  not  be  convincing. 

Quantitative  reliability  analysis  is  limited  by  inadequate  data  bases  and 
deficiencies  in  modeling.    Existing  hard  data  must  be  supplemented  by 
engineering  judgement. 

o     Probability  density  functions  are  difficult  to  obtain  and  enormous 

inaccuracies  result  when  very  small  numbers  at  the  tails  of  these  functions 
are  obtained  by  extrapolation. 

*     Modeling  of  system  reliability  considering  component  interaction  requires 
further  study. 
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©     Problems  of  start-up  failures  and  aging  are  generally  not  accurately 

addressed  and  the  assumption  is  made  that  any  system  that  did  not  fail  is 
as  good  as  new. 

•     The  frequently  used  assumption  of  statistical  independence  of  the  variables 
can  lead  to  gross  errors. 

3.  Data  Acquisition  and  Research  Needs 
Better  and  more  reliable  data  are  needed. 

9     Data  on  frequency  of  loss,  exposure,  and  consequences  of  loss  are  needed. 

9  A  Marine  Board  Committee  on  safety  recommended  that  MMS  establish  an  OCS 
safety  information  system  for  acquiring  comprehensive  event  and  exposure 
data,  calculating  frequency  and  severity  of  events,  and  analyzing  trends.* 

There  is  need  to  train  practitioners  in  risk  analysis  and  to  educate  the  public. 

4.  Opportunities  for  Application 

In  the  Gulf  of  Mexico  operations,  for  which  extensive  experience  exists, 
design  methods  should  be  improved  by  reliability-based  procedures.  Risk 
analysis  would  be  very  useful  for  novel  design  concepts  in  less  known  environ- 
ments.   Qualitative,  as  well  as  quantitative  analyses  are  appropriate  for 
these  situations. 

The  use  of  risk  analysis  in  the  U.S.  voluntary  consensus  standards  is  increasing 
and  will  further  increase  in  the  future. 


Working  Group  II,  Concept  Evaluation  and  Design 
1.     State  of  Practice 

The  integration  of  specific  discipline-oriented  studies  into  a  single  risk 
projection  is  difficult  in  offshore  engineering  because  of  the  varying  qualities 
of  the  different  data  bases.    In  spite  of  this  fundamental  difficulty,  a  number 
of  examples  of  effective  uses  of  reliability  analysis  in  offshore  design 
problems  are  highlighted  in  the  Working  Group  report:    before  design  (e.g., 
selection  of  design  wave  heights),  during  design  (e.g.,  gravity  structure 
foundation  penetration  criteria),  during  construction  (e.g.,  reliability 
analysis  of  underdriven  piles),  and  during  operation  (e.g.,  inspection  strate- 
gies of  platforms).    It  is  pointed  out  that:    (1)  most  of  the  studies  conducted 


As  pointed  out  by  J.  L.  Rankin,  Regional  Director,  Gulf  of  Mexico  OCS  Region, 
MMS,  the  Minerals  Management  Service  has  established  an  "Events  File"  containing 
detailed  information  on  accidents  that  occurred  and  were  reported  in  the  Gulf 
of  Mexico  OCS.    In  addition,  a  semi-annual  accident  report  is  published  by  MMS 
(Editors'  Note). 
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so  far  pertain  to  unusual  projects  in  frontier  areas,  both  geographically  and 
conceptually;  (2)  these  studies  were  not  comprehensive  or  technically  rigorous; 
and  (3)  the  studies  were  not  developed  to  a  level  suitable  for  routine 
application. 

2.  Problem  Areas 

These  were  identified  as  follows: 
©     Organizational  and  communication  problems. 

a     The  present  state-of-the-art  in  reliability  analysis  and,  in  many  instances, 
the  lack  of  sufficient  data  preclude  the  use  of  rigorous  analyses. 

9     The  possible  perception  that  reliability  can  be  sterile  and  meaningless, 
if  used  strictly  for  satisfying  regulations,  rather  than  to  aid  the  design 
decision  process. 

3.  Research  Needs 
These  were  identified  as: 

»     Data  acquisition 

9     Technological  improvements  to  reduce  modeling  uncertainties 
o     Reliability  theory 

»     Development  of  procedures,  including  quality  control  procedures,  aimed  at 
reducing  risks  due  to  gross  error 

4.  Opportunities  for  Implementation  and  Application 

Reliability  analysis  should  be  used  creatively  as  a  tool  for  innovative  design 
and  decisionmaking,  rather  than  merely  as  a  means  of  obtaining  numbers  with 
possibly  dubious  physical  significance. 


Working  Group  III,  Operation  and  Maintenance 
1.     State  of  Practice 

The  working  group  report  notes  that  risk  analysis  should  not  be  viewed  as  an 
all  purpose  tool.    Rather,  it  is  one  of  many  tools  that  may  be  helpful  in 
identifying  and  solving  some  safety  problems,  particularly  for  simple  components 
or  for  subsystems,  as  opposed  to  entire  facilities.    The  application  of  risk 
analysis  is  likely  to  be  a  useful  tool  in  nonroutine,  frontier  problems.  As 
far  as  the  design  stage  is  concerned,  risk  analysis  can  be  used  in  two  principal 
ways: 


xii 


o     To  assist  in  project  development  or  for  initial  evaluation  by  operators  of 
various  economic  and  safety  aspects  of  the  design.    This  is  typically  done, 
for  example,  in  the  U.K.  Sector  of  the  North  Sea. 

o     To  demonstrate  compliance  with  statutory  numerical  targets  of  risk,  as  is 
the  case  in  the  Norwegian  Sector  of  the  North  Sea. 

In  operation  and  maintenance,  risk  analysis  may  be  employed  to  assist,  where 
appropriate,  in  developing  operating  procedures  in  the  form  of  policy,  safety 
manuals,  procedure  guides,  and  contingency  plans.    Safety  procedures  are 
procedures  for  periodically  inspecting,  testing,  and  reporting  on  all  safety 
devices  and  redundant  procedures.    Individual  companies  are  assisted  by  industry 
groups  in  the  development  of  safety  procedures.    To  ensure  that  safety  procedures 
are  properly  implemented,  continuous  training  of  safety  personnel  is  essential. 

Some  of  the  working  group  members  felt  that  risk  analysis  may  be  of  value  in 
developing  "man-machine"  interfaces,  which  will  make  human  errors  less  likely, 
in  particular,  errors  leading  to  blowouts.    However,  even  if  such  technological 
improvements  were  made,  training,  experience,  and  supervision  remain  the  key 
factors  in  preventing  blowouts. 

The  working  group  notes  that  safety  management  requires  extensive  use  of 
redundant  systems  and  safety  devices.    It  also  notes  that  need  for  extensive 
computerized  systems  to  track  the  testing  and  maintenance  of  surface  and 
subsurface  safety  devices. 

2.  Problem  Areas 

The  application  of  formal  risk  analysis  methods  is  associated  with  difficulties 
in: 

o     Obtaining  accurate  failure  mode  and  failure  rate  data  for  the  many  components 
of  a  given  system. 

«     Obtaining  accurate  probability  distributions  of  losses  resulting  from 
system  failure,  given  the  absence  of  sufficient  historical  data. 

<*     Obtaining  operational  history  related  to  component  failure  and  prior 
maintenance  work. 

»     Assessing  the  influence  of  human  factors,  a  task  that  becomes  increasingly 
difficult  as  the  amount  of  human  interactions  required  for  system  operation 
increases. 

3.  Opportunities  for  Application 

o     Efforts  to  keep  failure  mode  and  failure  rate  data  current  with  the 

evolution  of  technological  developments,  and  otherwise  supplement  reliability 
data  bases. 
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®     Creating  training  opportunities  to  familiarize  engineers  with  practical 
risk  analysis  tools,  since  engineers  who  are  routinely  involved  in  the 
operation  and  maintenance  of  facilities  are  in  the  best  position  to 
identify  areas  where  these  tools  can  be  applied  effectively. 

o     Improving  training  and  management  with  a  view  to  reducing  the  possibility 
that  human  errors  might  occur. 


Working  Group  IV,  Logistics  and  Support 
1.     State  of  Practice 
It  was  noted  that: 

©     Risk  to  be  considered  should  include  serious  loss  or  damage,  as  well  as 
operability  and  downtime  considerations  which  are  primarily  economical. 

a     Estimated  measures  of  risk  are  meaningless  unless  they  are  linked  with 
acceptability  criteria  or  used  to  compare  alternatives. 

o     Information  on  the  confidence  limits  of  risk  estimates  should  be  retained. 

Various  methodologies  and  their  application  are  reviewed,  including: 

o     Theory  of  second  order  stationary  random  processes,  which  is  widely  used 
in  the  logistics  and  support  field.    Applications  identified  are  work 
barge  operability  studies,  voyage  risk  analysis  for  sea  fastenings, 
production  jackets,  jack-up  legs  and  mounts,  tanker  loading  at  offshore 
terminals,  and  real-time  offshore  crane  operations. 

9     Markov  process  analysis,  which  is  applicable  to  wind  and  wave  climatologies, 
ice  movements,  and  operational  windows.    Examples  of  applications  include 
logistics  and  supply  relative  to  the  Hutton  TLP,  and  real-time  offshore 
crane  operations. 

»     Queuing  Theory,  which  may  be  applied  to  transportation  and  supplies  to 

offshore  platforms,  tanker  waiting  times,  and  average  idle  time  in  offshore 
oil  terminals. 

o     Time  domain  simulations  (which  could  be  coupled  with  Monte  Carlo  statistical 
methods),  which  can  be  used  to  incorporate  nonlinear  system  elements  and 
to  introduce  human  operator  input.    Examples  of  applications  are  studies 
of  probable  oil  spill  trajectories. 

o     Monte  Carlo  statistical  methods  used  in  conjunction  with  other  simulation 
techniques  where  random  variables  are  incorporated. 
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2.  Data  Acquisition  and  Research  Needs 

Data  needs  are  in  three  areas:    joint  probabilities,  statistical  data,  and 
distribution  of  critical  system  events.    Data  needs  include: 

©  Wave  and  sea  states 

o  Ice  floes,  keels,  windows,  and  accretion  rates 

<»  Visibility 

9  Environmental  disturbances  to  navigation  and  communications 

o  Seamanship  (i.e.,  speed  vs.  directional  sea  states) 

9  Capabilities  (to  cope  with  adverse  conditions) 

o  Spills;  cleanup  capabilities  vs.  broken  ice  cover,  dispersion  rates  and 
trajectories  in  the  Artie 

R&D  needs  include: 

*  Human  factors  (seamanship,  capabilities,  real-time  feedback  effects) 
o     Nonlinear  problems 

•  Stability  and  capsize  in  a  seaway 
«     Roll  damping 

o  Drift  forces  (shallow  water) 

o  Steep  irregular  wave  fields 

»  Higher-order  response  theories 

o  Statistical  decision  procedure 

3.  Opportunities  for  Implementation 

o  Consideration  of  logistics  and  support  during  the  design  stage. 

o     Consideration  of  logistics  and  support  as  a  subsystem  in  a  more  global 
risk  analysis  (emergency  response  and  assistance,  support  craft  and 
facilities  as  a  source  of  hazard). 

Barriers  to  implementation  include:    institutional  barriers  reflecting 
unfamil iari ty  with  the  probabilistic  perspective  (i.e.,  marine  surveyors  with 
specification  type  rules);  the  proprietary  nature  of  data;  lack  of  sufficient 
time  during  emergencies  and  salvage  situations;  and  information  that  cannot  be 
readily  utilized  by  users  and  operators. 
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It  was  noted  by  the  participants  that  the  workshop  promoted  much-needed 
communications  among  practitioners.    It  was  emphasized  that  the  terms  "risk 
analysis"  and  "risk  assessment"  are  used  without  a  clear  definition  of  their 
specific  meaning,  and  that  risk  analysis  techniques  are  more  easily  applied 
when  considering  financial  risks  than  when  considering  risk  to  humans. 

In  addition  to  the  working  group  reports,  much  information  was  conveyed  in 
invited  theme  papers  and  other  contributions.    The  theme  papers  included:  an 
overview  of  present  practice  in  the  U.S.;  a  review  of  safety  and  reliability 
assessment  methodologies;  and  a  review  of  the  use  of  reliability  analysis  in 
the  safety  management  of  offshore  development  projects  in  Norway. 

In  addition,  information  was  conveyed  on  an  E&P  Forum  study  of  risk  analysis  in 
offshore  exploration  and  on  a  project  in  which  offshore  reliability  data  are 
collected.    These  contributions  are  summarized  and  presented  in  Appendix  I. 

A  list  of  workshop  participants  is  included  in  Appendix  II. 
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1.  INTRODUCTION 


The  construction,  operation,  and  maintenance  of  offshore  oil  and  gas  production 
facilities  in  hostile  environments  require  innovative  and  frequently  untried 
engineering  solutions.    The  assessment  of  risk  is,  therefore,  a  key  element  in 
decisionmaking  required  for  the  planning,  design,  and  operation  of  these 
faci 1 i ties. 

On  March  26  and  27,  1984,  an  International  Workshop  on  the  Application  of  Risk 
Analysis  to  Offshore  Oil  and  Gas  Operations  was  held  at  the  National  Bureau  of 
Standards,  Gaithersburg ,  Maryland.    The  workshop  was  attended  by  an  invited 
group  of  experts.    It  was  organized  by  the  National  Bureau  of  Standards  (NBS) 
and  sponsored  by  the  Technology  Assessment  and  Research  Branch  of  the  Minerals 
Management  Service  (MMS),  U.S.  Department  of  the  Interior. 

The  purpose  of  the  workshop  was  to  assess  current  practice.    First,  various 
aspects  of  the  state-of-the-art  were  discussed  by  four  theme  speakers: 
Mr.  F.  P.  Dunn  from  Shell  Oil  Company,  Houston,  Texas,  gave  an  overview  of 
current  U.S.  practice;  Dr.  David  Slater  from  Technica,  London,  United  Kingdom, 
discussed  probabilistic  risk  assessment  methodologies;  Dr.  0ystein  Berg  from  the 
Norwegian  Petroleum  Directorate  (NPD)  discussed  the  Norwegian  approach  to 
management  of  offshore  risk;  Dr.  Floyd  Tuler  from  Worcester  Polytechnic  Institute 
introduced  the  topics  to  be  discussed  in  the  course  of  the  workshop.    After  the 
presentations  of  the  theme  speakers,  the  workshop  participants  were  organized 
into  four  working  groups  covering  the  following  topics. 


Working  Group  I  -  Standards,  Codes,  and  Practice 


Scope:  Application  of  risk  analysis  and  reliability  engineering  techniques 

in  the  area  of  standards,  codes,  and  certification. 

Chairman:       Mr.  Stanley  Stiansen 

American  Bureau  of  Shipping 


Working  Group  II--  Concept  Evaluation  and  Design 

Scope:  Application  of  risk  analysis  and  reliability  engineering  techniques 

to  the  planning,  siting,  design,  and  construction  of  offshore  oil 
and  gas  production  facilities. 

Chairman:       Professor  Fred  Moses 

Case  Western  Reserve  University 


1 


Working  Group  III  -  Operation  and  Maintenance 


Scope: 


Application  of  risk  analysis  to  the  operation  and  maintenance  of 
offshore  oil  and  gas  facilities. 


Chairman: 


Professor  Adam  T.  Burgoyne 
Louisiana  State  University 


Working  Group  IV  -  Logistics  and  Support 


Scope: 


Application  of  risk  analysis  in  the  exchange  of  material,  energy, 
and  personnel  between  the  shore  and  offshore  installations. 


Chairman: 


Mr.  Bruce  Hutchison 
Glosten  Associates 


Each  working  group  prepared  a  summary  report  addressing  the  following  topics: 

1.  State  of  Practice  (experience  in  application) 

2.  Problem  Areas 

3»     Data  Acquisition  and  Research  Needs 

4.     Opportunities  for  Implementation  and  Application 

The  working  group  summaries  are  presented  in  Section  2.    Appendix  I  contains 

the  text  and  a  summary  of  the  theme  presentations  and  other  written  contributions. 

Appendix  II  contains  a  list  of  participants. 
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REPORTS  OF  WORKING  GROUPS 


INTRODUCTORY  COMMENTS  TO  THE  WORKING  GROUPS 


by 

Floyd  R.  Tuler 

Mechanical  Engineering  Department 
Worcester  Polytechnic  Institute 
Worcester,  Massachusetts 


When  we  were  picking  a  title  for  this  workshop,  we  of  course  wanted  one  that 
would  convey,  as  best  as  possible,  the  purpose  and  content  of  the  meeting. 
After  listening  to  the  three  lectures  this  morning,  I  think  that  we  could  have 
used  the  subtitle  -  "And  how  to  reduce  the  probability  that  the  BEST  LAID  PLANS 
OF  MICE  AND  MEN  OFTEN  GO  ASTRAY." 

There  can  be  no  disagreement  that  everyone  concerned  with  offshore  operations 
wants  better  ways  to  anticipate  and  cope  with  their  hazards.    Designers,  builders, 
operators,  owners,  insurers,  workers,  regulators,  and  neighbors  would  all 
prefer  that  the  risks  associated  with  these  technologies  be  reduced  to  the 
lowest  levels  that  can  be  achieved  at  reasonable  cost.    But  disagreement  might 
arise  over  what  are  the  hazards,  to  what  levels  can  they  be  reduced,  and  what 
is  a  reasonable  cost  for  reducing  them. 

Risk  analysis  is  a  relatively  new  and  promising  approach  which  might  be  used 
to  identify,  analyze,  and  manage  the  hazards  associated  with  complex  technolog- 
ical projects  such  as  offshore  oil  and  gas  operations.    A  full  risk  analysis 
of  a  design  or  an  operating  procedure  requires  a  number  of  steps,  as  shown  in 
figure  1. 

First,  an  analysis  is  performed  to  identify  the  hazards,  and  the  risks  and 
consequences  associated  with  these  hazards.    Next,  based  on  acceptance  criteria 
and  other  requirements,  the  risks  are  evaluated  by  asking  the  question  -  are 
they  acceptable?    That  is,  does  the  estimated  level  of  risk  meet  the  acceptance 
criteria  and  other  requirements? 

If  the  answer  is  NO  -  the  design  or  procedure  must  be  revised  or  the  criteria 
or  requirements  could  be  modified.    If  the  answer  is  YES,  the  design  or  procedure 
is  acceptable  and  the  activity  proceeds  to  whatever  the  next  step  might  be. 
The  risk  assessment  is  essentially  a  technical  activity,  and  forms  the  major 
part  of  the  concerns  of  Working  Groups  II,  III  and  IV.    The  setting  and  defini- 
tion of  the  acceptance  criteria  and  other  requirements  is  the  concern  of  Group  I. 
Before  I  discuss  the  specific  tasks  facing  the  working  groups,  I  would  like  to 
take  a  few  minutes  to  briefly  summarize  some  important  issues  raised  this 
morning  as  they  relate  to  the  deliberations  of  the  working  groups. 

Pat  Dunn,  in  his  discussion  of  current  practice  in  the  U.S.,  highlighted  a 
problem  that  we  are  all  going  to  have  with  definitions.    The  working  groups 
will  need  to  make  clear  what  they  mean  when  they  use  these  various  terms. 
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There  is  an  important  distinction  to  be  made  between  a  reliability  analysis 
which  considers  the  failure  of  a  component  or  subsystem  subjected  to  an  isolated 
event  and  a  risk  analysis  which  considers  the  interaction  between  components 
and  subsystems  subjected  to  a  combination  of  events.    Pat  described  some  useful 
applications  of  reliability  analysis,  as  shown  in  figure  2. 

First,  he  gave  us  an  example  of  the  optimization  of  a  structural  design  concept 
given  uncertainties  in  both  the  loading  conditions  and  the  response  of  the 
structure.    He  also  gave  us  some  interesting  examples  of  how  reliability  analysis 
has  been  used  to  develop  API  recommended  practices  for  structural  design  and 
criteria  for  installations  in  the  Gulf  of  Mexico,  and  how  recommended  API 
practices  and  specifications  for  well  completion  systems  were  based  on  an 
analysis  incorporating  the  reliability  of  key  components.    In  addition,  he 
described  how  a  formal  risk  analysis  was  used  by  manufacturers  and  operators  as 
background  for  API  recommendations  on  operation  and  maintenance  of  offshore 
cranes.    These  examples  highlight  two  broadly  different  uses  for  risk  analysis  - 
and  I'll  have  more  to  say  about  this  later. 

The  next  speaker,  0ystein  Berg,  gave  us  an  overview  of  the  regulatory  framework 
for  offshore  operations  in  Norway,  and  their  specific  use  of  risk  analysis  in 
the  approval  procedure  for  an  offshore  installation,  (see  figure  3).  Ten 
different  safety  analyses  were  suggested  for  the  early  phases  of  the  project 
when  it  is  easier  and  less  costly  to  influence  the  final  results.  Through 
these  analyses  the  safety  of  an  installation  can  be  checked  at  three  levels: 

SERVICEABILITY  CONTROL  -  or  what  might  be  called  by  some  an  availability 
study.    This  is  concerned  with  reducing  downtime. 

COMPONENT  FAILURE  CONTROL  -  is  concerned  with  structural,  equipment,  and  compo- 
nent reliability. 

These  two  risk  evaluations  are  generally  covered  by  existing  codes,  regulations, 
and  practices. 

The  third  type  of  safety  evaluation  -  MAJOR  ACCIDENT  CONTROL  -  is  concerned 
with  analyzing  the  risks  to  the  complete  installation  when  an  unfavorable  event 
might  jeopardize  a  large  number  of  lives  or  cause  severe  pollution  or  major 
economic  loss.    The  procedures  and  criteria  for  major  accident  control  were 
not  directly  covered  by  existing  codes  and  regulations  in  Norway,  so  a  require- 
ment was  introduced  for  executing  a  concept  safety  study.    The  evaluation  is 
based  on  specific  design  accident  events,  such  as  blow-out,  fire,  explosion, 
extreme  weather,  and  combinations  of  these.    Specific  criteria  for  evaluating 
the  risks  are  specified  in  guidelines  so  that  although  formal  risk  analysis 
is  not  explicitly  mandated,  it  becomes  the  best  method  by  which  the  risks  can 
be  identified  for  the  evaluation.    The  aim  of  the  concept  safety  evaluation  is 
to  establish  an  acceptance  level  to  risk  for  the  entire  system. 

The  issues  raised  by  constrasting  the  U.S.  and  Norwegian  systems  of  safety 
management  could  keep  Working  Group  I  busy  for  months,  I'm  afraid,  rather  than 
the  allotted  time  of  less  than  one  day. 
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OVERVIEW  OF  CURRENT  PRACTICE  (F.  P.  DUNN) 

RELIABILITY  ANALYSIS  OF  COMPONENT  OR  SUBSYSTEM 
OPTIMIZE  STRUCTURAL  CONCEPT 
DEVELOP  RECOMMENDED  PRACTICE 
STRUCTURAL  DESIGN  CRITERIA 
OFFSHORE  CRANES 


Figure  2  -  Summary  of  Applications  of  Reliability  Analysis 
from  Paper  by  F.  P.  Dunn 
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MANAGEMENT  OF  OFFSHORE  RISKS  IN  NORWAY  (j/i.  BERG) 

RISK  ANALYSIS  REQUIREMENTS  IN  APPROVAL  PROCEDURES 
SAFETY  MANAGEMENT  FRAMEWORK 
SERVICEABILITY  CONTROL 
COMPONENT  FAILURE  CONTROL 
MAJOR  ACCIDENT  CONTROL 
CONCEPT  SAFETY  STUDY 
EXPLICIT  ACCEPTABLE  LEVEL  OF  RISK 


Figure  3  -  Summary  of  Management  of  OffshOre  Risks  in  Norway 
from  Paper  by  0.  Berg 
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The  last  speaker,  David  Slater,  reviewed  the  techniques  for  doing  the  full 
range  of  safety  and  reliability  studies.    Since  we  didn't  have  his  paper  in 
advance,  we'll  have  to  make  do  with  the  generic  slide  shown  in  figure  4.  For 
the  most  part,  the  examples  were  for  applications  of  the  various  techniques  to 
operations  in  the  North  Sea.    He  stated  that  this  is  rarely  a  problem,  and  I  hope 
that  this  point  will  be  actively  debated  in  the  workshops.    He  also  contrasted 
the  use  of  analysis  methods  such  as  Hazard  and  Operability  Studies  and  Failure 
Modes  and  Effects  Analysis  with  the  widely  used  API  Recommended  Practice  RP  14C 
for  setting  minimum  standards  for  surface  safety  devices.    More  than  one  of  the 
working  groups  can  address  this  issue. 

For  the  last  one  and  a  half  years  or  so  I  have  been  involved  in  a  study  for 
Sandia  National  Laboratories  in  cooperation  with  the  Minerals  Management  Service, 
in  which  we  examined  the  possibilities  and  limitations  of  using  risk  analysis 
in  managing  offshore  safety.    Two  of  my  colleaques  on  this  study  -  Chris  Hill 
and  David  Cheney  -  are  also  here.    The  last  major  policy  study  of  offshore 
safety,  "Energy  Under  the  Ocean,"  was  done  in  1973  and  a  lot  has  happened  since 
then  to  make  a  review  of  the  use  of  risk  analysis  for  offshore  projects 
worthwhile.    Although  the  final  report  has  not  been  completed,  I  can  briefly 
summarize  of  some  our  conclusions  as  they  may  be  relevant  to  the  working  groups: 

•  Development  of  offshore  activities  in  the  Gulf  of  Mexico,  where  we  have 
most  of  our  experience,  has  been  evolutionary.    Use  of  risk  analysis  becomes 
more  important  when  new  environments  are  encountered  and  new  concepts  are 
considered. 

•  Risk  analysis  can  focus  attention  on  problem  areas  where  research  and 
development  are  most  needed. 

•  Risk  analysis  is  a  tool  which  can  put  discussions  of  safety  on  a  more  rational 
basis  for  all  the  interested  parties.    Publication  of  assumptions,  methods, 
and  results  could  help  to  allay  concerns  about  offshore  safety.  Furthermore, 
recent  legal  developments  indicate  that  there  could  be  liability  associated 
with  not  using  state-of-the-art  techniques. 

We  also  identified  some  limitations  of  the  use  of  risk  analysis: 

•  Formal  risk  analysis  tends  to  focus  attention  on  the  catastrophic  events 
while  ignoring  the  more  routine  events  which  in  aggregate  may  also  cause 
significant  loss  and  damage.  Thus,  formal  risk  analysis  should  not  be  a 
substitute  for  other  more  traditional  approaches  to  safety  management. 

•  Risk  analysis  may  be  subject  to  the  fallacy  of  "misplaced  concreteness , "  in 
which  the  consequences  that  can  be  quantified  take  on  an  exaggerated 
importance  relative  to  those  that  remain  more  qualitative. 

•  Finally,  there  is  a  general  perception  that  risk  analysis  always  leads  to 
more  stringent  standards.    However,  there  are  examples  which  show  that 
risk  analysis  can  lead  to  a  relaxation  in  specified  requirements. 
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METHODOLOGIES  FOR  ANALYSIS  OF  SAFETY  AND  RELIABILITY 


(D.  H.  SLATER  AND  R.  A.  COX) 

CONCEPTUAL  DESIGN  SAFETY  EVALUATIONS 
HAZARD  ANALYSES 
STRUCTURAL  RELIABILITY 
SHIP  COLLISION 


Figure  4  -  Summary  of  Methodologies  for  Analysis  of  Safety 
Reliability  from  Paper  by  D.  H.  Slater  and  R.  A. 
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The  details  of  these  conclusions  and  our  recommendations  will  have  to  wait  a 
little  longer  for  the  completion  and  submission  of  our  report. 

I  finally  come  to  a  discussion  of  the  task  of  the  working  groups.  The 
chairman  for  each  group  has  prepared  a  position  paper  and  you  should  have  copies 
of  these  papers.    In  each  case,  these  papers  provide  the  background  for  the 
concerns  of  the  working  group.    In  addition,  the  earlier  papers  have  substantive 
conclusions  concerning  the  application  of  risk  analysis  to  the  topics  of  the 
respective  working  groups.    It  is  up  to  the  group  at  accept,  reject,  or  modify 
the  position  paper  and  in  particular  the  conclusions.    I  will  discuss  the  scope 
of  each  working  group,  but  you  should  realize  that  the  boundaries  between  the 
groups  are  elastic  and  fuzzy. 

The  chairman  of  Working  Group  I  is  Stan  Stiansen  from  the  American  Bureau  of 
Shipping  and  the  rapporteur  is  Charles  Bookman,  of  the  Marine  Board  (see  fig- 
ure 5).    Working  Group  I  is  concerned  with  the  application  of  risk  analysis  and 
reliability  engineering  techniques  in  the  formulation  of  standards,  codes,  and 
certification  requirements. 

Risk  analysis  can  play  two  separate  roles  in  this  area.    As  we  heard  in  Pat 
Dunn's  presentation,  risk  analysis  and  reliability  analysis  can  be  used  to 
provide  the  basis  for  detailed  specifications  or  for  recommended  practices. 
And  as  we  heard  in  (Dystein  Berg's  presentation,  one  or  more  risk  analyses  might 
be  required  as  part  of  the  approval  procedure  for  a  project.    These  two  uses  of 
risk  analysis  are  intimately  tied  to  the  differences  between  performance  standards 
and  specification  standards.    Specification  standards  can  represent  the  cumulative 
knowledge  and  experience  of  all  those  concerned  with  the  particular  technology. 
On  the  other  hand,  performance  standards  tend  to  encourage  innovative  solutions 
to  specific  problems,  taking  into  account  the  particulars  of  each  case. 

The  second  working  group  has  as  its  chairman  Professor  Fred  Moses  from  Case 
Institute  of  Technology;  the  rapporteur  is  Professor  Paul  Wirsching  from  the 
University  of  Arizona  (see  figure  6).    The  concern  of  this  group  is  the 
application  of  risk  analysis  and  reliability  engineering  techniques  to  the 
planning,  siting,  construction,  and  maintenance  of  offshore  structures.  This 
scope  is  different  than  originally  planned  -  construction,  maintenance,  and 
inspection  of  the  structure  are  added  concerns.    Our  speakers  this  morning 
highlighted  what  is  one  of  the  central  questions  for  this  topic.    From  one 
point  of  view,  the  reliability  of  components  and  subsystems  is  analyzed  when 
they  are  subjected  to  isolated  accidental  events.    In  the  other  case,  the  safety 
of  the  total  system  is  evaluated,  based  on  consideration  of  the  interactions 
between  the  components  and  subsystems  when  they  are  subjected  to  accidental 
events  which  may  occur  in  combinations.    Since  there  is  already  a  large  and 
growing  activity  in  considering  the  total  system  safety,  it  would  be  particularly 
helpful  here  to  amplify  on  some  specific  examples  -  giving  details  of  the 
techniques  used  and  the  results. 

Working  Group  III  is  concerned  with  the  application  of  risk  analysis  and  relia- 
bility engineering  to  design,  operation,  and  maintenance  of  offshore  facilities 
(see  figure  7).    By  facilities  I  mean  the  production  systems,  which  is  again  a 
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WORKING  GROUP  I 

STANDARDS,  CODES,  AND  CERTIFICATION 


CHAIRMAN:    STANLEY  STIANSEN 

RAPPORTEUR:    CHARLES  BOOKMAN 

APPLICATION  OF  RISK  ANALYSIS  AND  RELIABILITY  ENGINEERING 
TECHNIQUES  IN  THE  FORMULATION  OF  STANDARDS,  CODES,  AND 
CERTIFICATION  REQUIREMENTS. 

*  AS  BASIS  FOR  FORMULATION 

*  ANALYSIS  REQUIREMENTS 

*  PERFORMANCE  STANDARDS  VS  SPECIFICATION  STANDARDS 


Figure  5  -  Working  Group  I  -  Standards,  Codes,  and  Certification 
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WORKING  GROUP  II 

CONCEPT  EVALUATION  AND  DESIGN 


CHAIRMAN:  FRED  MOSES 

RAPPORTEUR:  PAUL  WIRSCHING 

APPLICATION  OF  RISK  ANALYSIS  AND  RELIABILITY  ENGINEERING 
TECHNIQUES  TO  THE  PLANNING,  SITING,  AND  CONSTRUCTION  OF 
OFFSHORE  OIL  AND  GAS  PRODUCTION  FACILITIES. 

*  SYSTEM  SAFETY/SUBSYSTEM  RELIABILITY 

OPTIMIZING  REMEDIAL  CONSTRUCTION  STRATEGIES 
ESTABLISHING  DESIGN  CRITERIA 
SPECIFYING  STRUCTURAL  DESIGN  PARAMETERS 


Figure  6  -  Working  Group  II  -  Concept  Evaluation  and  Design 
of  Structure 
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WORKING  GROUP  III 
OPERATION  AND  MAINTENANCE 


CHAIRMAN:  ADAM  BOURGOYNE 

RAPPORTEUR:  STRUAN  SIMPSON 

APPLICATION  OF  RISK  ANALYSIS  AND  RELIABILITY  ENGINEERING 
TECHNIQUES  TO  THE  OPERATION  AND  MAINTENANCE  OF  OFFSHORE 
OIL  AND  GAS  FACILITIES. 

*  DEVELOPING  OPERATING  PROCEDURES,  POLICY,  SAFETY  MANUALS, 
PROCEDURE  GUIDES,  CONTINGENCY  PLANS 

*  OPTIMIZING  MAINTENANCE  PROCEDURES  AND  SCHEDULING 


Figure  7  -  Working  Group  III  -  Operation  and  Maintenance  of 
Production  Systems 


15 


change  in  scope.    Professor  Ted  Bourgoyne  from  Louisiana  State  University  is 
the  chairman,  and  the  rapporteur  is  Struan  Simpson  of  the  E&P  Forum  in  London. 

In  this  area,  applications  of  risk  analysis  could  include  the  development  of 
procedure  and  plans  for  safe  operation  of  the  installation  and  for  optimizing 
maintenance  procedures  and  scheduling  to  reduce  downtime.    Specific  problems  in 
using  quantitative  risk  analysis  in  these  areas  have  been  pointed  out  by  Ted 
Bourgoyne  in  this  paper.    These  include: 

1.  lack  of  data  for  failure  modes  and  failure  rates  of  components, 

2.  not  having  accurate  probability  distributions  for  the  consequences  of  a 
system  failure,  and 

3.  how  to  predict  human  errors. 

Working  Group  IV  is  concerned  with  Logistics  and  Support.    The  chairman  of 
this  group  is  Bruce  Hutchison  from  the  Engineering  consulting  firm  of 
Glosten  Associates  (see  figure  8).    The  topics  to  be  covered  by  this  working 
group  include  the  application  of  risk  analysis  in  the  movement  of  material, 
energy,  and  people  between  the  shore  and  the  offshore  facility.    The  uncertain 
hazards  of  the  offshore  environment  complicate  considerably  the  setting  of 
schedules  and  inventories  under  normal  conditions.    But  the  feasibility  and 
optimization  of  the  transfer  of  equipment  and  personnel  needed  to  deal  with  an 
accidental  event  must  also  be  considered.    Optimization  of  windows  of  opportunity 
for  both  normal  conditions  and  crisis  conditions  can  greatly  increase  safety 
and  minimize  undersirable  consequences  and  costs. 

Finally,  I  would  like  to  present  to  all  the  working  groups  a  general  list 
of  guidelines  and  issues  to  be  considered  for  your  reports. 

1.  As  much  as  possible  in  the  short  time  that  you  have,  you  should  share 
specific  experiences  with  actual  applications  of  risk  analysis  to  offshore 
operations.    These  should  include  both  positive  and  negative  experiences  - 
successes  and  failures.    Just  as  the  combined  experience  of  a  number  of 
workers  leads  to  the  best  choice  for  a  component  or  operating  procedure, 
combined  experience  will  lead  to  the  best  use  of  risk  analysis  as  a  tool 
for  safety  management.    We  need  a  common  understanding  of  the  strengths 
and  weaknesses  of  this  tool.    And  without  knowing  what  has  been  tried 
before  and  what  the  results  were,  it  will  be  difficult  to  improve  our 
ability  to  use  risk  analysis. 

2.  What  are  the  barriers  to  implementation  of  risk  analysis  in  your  area?  Are 
they  technical  barriers,  such  as  insufficient  data  or  inadequacies  of  the 
techniques,  or  are  the  problems  organizational  and  institutional? 

3.  You  should  identify  which  analysis  techniques  are  most  appropriate  for 
specific  applications.    (This  is  really  a  part  of  the  first  item.) 

4.  Every  working  group  can  look  to  the  common  problem  of  inadequate  data. 

This  particular  barrier  for  the  application  of  risk  analysis  is  so  important 
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WORKING  GROUP  IV 


LOGISTICS  AND  SUPPORT 

CHAIRMAN :    BRUCE  HUTCHISON 

APPLICATION  OF  RISK  ANALYSIS  IN  THE  EXCHANGE  OF  MATERIAL, 
ENERGY,  AND  PERSONNEL  BETWEEN  THE  SHORE  AND  OFFSHORE 
INSTALLATIONS. 

*  OPTIMIZING  SCHEDULES  AND  QUANTITIES 

*  IDENTIFYING  HAZARDS 


Figure  8  -  Working  Group  IV  -  Logistics  and  Support 
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that  I  have  put  it  down  as  a  separate  item  on  this  list.    What  kind  of 
data  are  needed?    And  what  should  we  do  about  it? 

5.  Can  we  identify  opportunities  for  using  risk  analysis  at  present?  How 
can  we  use  risk  analysis  given  the  current  data  base  and  current  method- 
ologies? 

6.  What  do  we  need  to  make  the  application  of  risk  analysis  more  effective? 
What  should  our  research  priorities  in  your  area  be,  short  range  or 
long  range?    What  could  we  do  if  we  had  the  answers  from  this  research 
and  development  that  we  cannot  do  now? 

7.  Finally,  we  don't  expect  that  you  will  produce  an  all  encompassing 
bibliography;  but  specific  references  and  knowing  the  bounds  of  pro- 
prietary information  would  make  our  proceedings  and  recommendations 
much  more  useful  to  those  who  will  follow  what  comes  from  this  workshop. 

In  conclusion,  we  want  to  thank  you  in  advance  for  your  participation  in 
the  working  groups.    We  know  that  the  time  is  short  for  dealing  with  the  broad 
topic  covered  by  this  workshop;  but  the  time  is  ripe  and  the  opportunities  are 
exciting  for  applying  risk  analysis  to  the  problem  associated  with  offshore 
operations. 

Good  luck  in  your  efforts! 
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STANDARDS,  CODES  AND  PRACTICES 


REPORT  OF  WORKING  GROUP  I 


1.  INTRODUCTION 

At  the  Mineral  Mangement  Service  (MMS) /National  Bureau  of  Standards  Workshop  on 
the  Application  of  Risk  Analysis  to  Offshore  Oil  and  Gas  fiperations,  a  session 
was  convened  on  "Standards,  Codes,  and  Practices."    The  membership  of  the 
working  group  is  attached.    The  interpretation  of  the  working  group  of  its 
charge  was  to  investigate  the  application  of  risk  analysis  and  reliability 
engineering  techniques  in  the  area  of  standards,  codes,  and  certification 
practices.    It  includes  the  use  of  risk  analysis  in  the  formulation  of  standards, 
codes,  practices,  certifications,  and  regulations,  the  requirement  in  standards 
and  regulations  that  quantitative  risk  analysis  be  employed,  also,  the  voluntary 
use  by  industry  of  risk  analysis  to  comply  with  standards  and  regulations. 

1.1  DEFINITIONS 

The  working  group  found  it  necessary  to  define  the  terms  risk  analysis, 
reliability  analysis,  and  safety  analysis,  in  order  to  clarify  meanings  and 
uses  of  the  terms  during  the  discussions. 

The  consensus  of  the  working  group  favored  the  definition  that  risk,  R,  involves 
the  likelihood  (probability)  of  an  undesired  event,  F,  and  the  consequences  of 
the  event,  C,  i .e. : 

R  =  R(F,C) 

Some  working  group  members  indicated  the  need  to  consider  the  setting  in  which 
the  event  probability  and  consequences  were  being  considered,  or  the  "exposure," 
E,  as  part  of  the  expression  of  a  risk. 

R  =  R(F,C,E) 

In  this  connection,  exposure  would  be  needed  so  the  risk  estimates  can  be 
related  directly  to  specific  activities  being  considered  for  safety  action, 
standards,  or  regulations.    It  would  also  be  needed  to  set  priorities  for  safety 
action  among  such  activities,  and  for  locating  the  high  risk  subacti vi ties  for 
which  further  information  might  be  needed.    If  exposure  is  included,  risk  would 
be  expressed  in  terms  of  probable  consequences  per  unit  of  exposure  during  the 
activity  being  analyzed,  i.e.,  the  probability  of  disabling  injury  per  hour  of 
drilling  operation,  or  crane  operation,  or  per  hundred  wells  drilled,  etc. 

Risk  analysis  may  take  one  of  two  forms  at  the  top  level.    Qualitative  risk 
analysis  is  any  consideration  of  events  that  could  lead  to  failure,  and  their 
consequences.    Events  are  to  be  treated  at  a  system  level,  rather  than  as 
isolated  events.    Quantitative  risk  analysis  refers  to  any  number  of  methods 
which  provide  a  statistical  foundation  to  the  understanding  of  risk. 
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Safety  analysis  to  assess  risk  was  also  discussed.    The  point  was  made  that 
safety  analysis  methodically  seeks  to  discover  and  assess  potentially  harmful 
interactions  among  system  personnel,  equipment,  and  procedures,  and  how  "failures 
of  components  (including  personnel)  are  accommodated  by  the  system  to  control 
the  harm  that  could  occur.    With  the  consideration  of  exposure  in  the  latter 
expression  of  risk,  risk  analysis  helps  satisfy  the  safety  analysis  need. 

Some  members  of  the  working  group  suggested  the  need  to  delineate  the  very 
different  nature  of  terms  such  as  risk  assessment,  risk  analysis,  reliability 
analysis,  safety  analysis,  and  engineering  analysis.    However,  the  view  which 
opposed  this  thought  should  be  noted. 

1.2    RISK  OF  OFFSHORE  OPERATIONS 

The  conduct  of  any  operation  inevitably  involves  risk.    The  degree  of  risk 
varies  with  the  task  and  types  of  risk  generally  always  include  property, 
personal  injury,  and  damage  to  the  environment.    The  offshore  operations  are  no 
exception.    Some  of  the  risks  in  conducting  offshore  oil  and  gas  operations  may 
be  generic  as  existing  in  any  engineering  system  and  some  may  be  due  to  its 
unique  nature  related  to  its  complex  operating  environment.    Traditional  thinking 
often  regards  experience  in  design,  construction,  and  operation  of  offshore 
systems  as  the  best  safeguard  against  risks.    The  value  of  this  contention  can 
hardly  be  disputed  as  evidenced  by  the  superior  safety  record  of  the  oil  and 
gas  operations  in  the  Gulf  of  Mexico.    Yet  losses  have  occurred  partly  due  to 
omission  to  account  in  design  for  certain  "unlikely"  events  but  mostly  due  to 
the  uncertainties  in  design  variables,  methodology,  and  the  interaction  of 
human  elements.    These  incidents  often  lead  to  improvement  of  standards  and 
practices  to  overcome  the  deficiency.    The  process  is  therefore  corrective  but 
in  many  cases  lags  occurrence  of  an  identifying  incident.    It  should  also  be 
noted  that  loss  of  one  component  or  one  subsystem  is  not  necessarily  self- 
contained.    The  loss  may  propagate  and  trigger  other  losses  and  may  ultimately 
lead  to  the  loss  of  the  entire  system,  depending  on  the  individual  design. 

Aside  from  the  basic  variables  encountered  in  design  (e.g.,  structural  design), 
human  factors  must  also  be  regarded  as  part  of  the  system.    In  one  source  of 
statistics  pertaining  to  offshore  structures,  human  errors  account  for  more 
than  85  percent  of  all  losses.    It  is  therefore  logical  to  include  human  factors 
in  risk  assessment.    Human  errors  may  be  present  in  the  design,  construction, 
inspection,  maintenance,  and  operations  of  the  offshore  installation.  Such 
errors  can  lead  to  component/system  malfunction  or  damage. 

It  is  particularly  important  to  take  risks  into  account  in  the  development  of 
technology  for  offshore  systems  especially  under  novel  operating  conditions. 
Unlike  some  fully  tried  and  tested  engineered  systems  such  as  an  automobile 
system  or  a  glycol  dehydration  unit  where  the  basic  subsystems  and  general 
configuration  among  all  makes  and  years  are  essentially  the  same,  the  differences 
in  offshore  environments  (usually  geographic  areas)  dictate  that  past  experience 
in  one  environment  may  not  be  automatically  applicable  with  high  confidence  in 
another  environment.    For  instance,  experience  drawn  from  the  successful  design 
of  risers  operating  in  100  foot  water  depths  may  not  be  directly  transferred  to 
the  design  of  risers  for  use  in  a  tension  leg  platform  in  1500  feet  of  water. 
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Additional  investigation,  engineering  analysis,  testing,  and  observations  are 
necessary.    The  fact  that  there  is  more  variability  in  offshore  structures  or 
that  there  is  less  experience  associated  with  deeper  waters  requires  that 
engineers  and  planners  would  be  wise  to  mobilize  all  available  means,  including 
risk  analyses,  and  probably  be  more  conservative  in  their  designs,  and/or  do 
more  experimenting  and  testing. 

2.      STATE  OF  PRACTICE  OF  RISK  ANALYSIS 

2.1  ROLE  OF  STANDARD-MAKING  BODIES 

The  primary  concern  of  the  standard-making  bodies  is  the  safety  and  integrity 
of  the  offshore  installations  and  the  protection  of  human  life  and  the  environ- 
ment.   If  more  sophisticated  approaches  to  risk  analysis  can  enhance  the  chances 
of  achieving  these  goals,  then  they  should  be  included  as  a  part  of  the  general 
formulation  of  the  standards,  codes  and  practices.    On  the  other  hand,  these 
goals  are  presumably  achieved  when  standards,  codes,  and  practices  or  regula- 
tions already  require  engineering  analysis  sufficient  to  produce  a  safety 
record  that  appears  to  be  acceptable  to  society.    In  order  to  justify  additional 
requirements  it  must  be  shown  that  they  will  materially  improve  safety.  An 
initiative  to  include  more  sophisticated  or  structured  risk  analysis  in  industry 
standards  or  to  address  them  through  government  regulations  should  be  evaluated 
against  such  criteria  as:    is  it  needed,  is  it  beneficial,  is  is  accomplishable, 
is  it  cost  effective. 

2.2  USE  OF  RISK  ANALYSIS 

Risk  analysis  is  employed  in  many  applications  in  both  the  private  sector  and 
in  the  government.    Within  the  U.S.  Government,  risk  analysis  is  required  or 
employed  by  the  Materials  Transportation  Bureau  of  the  Department  of  Transportation, 
the  Consumer  Product  Safety  Commission,  the  Nuclear  Regulatory  Commission,  the 
Department  of  Energy,  and  the  National  Transportation  Safety  Board,  to  name  a 
few.    The  purpose  of  this  section  is  to  review  the  use  of  risk  analysis  by 
regulatory  bodies  of  the  offshore  oil  and  gas  industry. 

2.2.1    Requirements  in  Standards  and  Regulations 

Engineering  analysis  has  been  inherent  in  codes  of  practice  and  regulations 
since  their  inception.    Formal,  explicit  requirements  in  regulations  for 
reliability  analysis,  safety  analysis,  and  risk  analysis  have  come  into  being 
more  recently. 

During  the  mid-1970s,  the  MMS  commenced  requiring  the  use  of  API  RP  14C, 
"Analysis,  Design  Installation  and  Testing  of  Basic  Surface  Safety  Systems  on 
Offshore  Platforms."    This  was  followed  in  1979  by  the  USCG  implementing  a 
similar  requirement  for  industrial  equipment  on  Mobile  Offshore  Drilling  Units. 
The  most  comprehensive  requirement  for  safety  analysis,  which  presumes  the  use 
of  some  form  of  risk  analysis,  in  the  offshore  is  the  "Guideline  for  Safety 
Evaluation  of  Platform  Conceptual  Design"  issued  by  the  Norwegian  Petroleum 
Directorate  (NPD)  in  1981. 
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Several  characteristics  of  the  NPD  guidelines  are  worth  noting  for  their  breadth 
of  scope. 

•  Safety  analysis  is  to  he  performed  at  the  installation's  conceptual  design 
stage. 

•  Accidents  to  be  evaluated  include  "...blow-out,  fire,  explosion  and 
similar  incidents,  falling  objects,  ship  and  helicopter  collisions, 
earthquakes,  other  possible  water  conditions,  and  relevant  combinations 
of  these  incidents. 

•  No  specific  methods  of  approach  have  been  specified  except  that  the 
safety  analysis  "...should  be  carried  out  at  a  superior  system  level," 
and  that  "the  intention  is  not  to  include  calculation  of  residual  risk," 
i.e.,  only  qualitative  analysis  would  suffice.    However,  as  an  order  of 
magnitude  guideline,  "...the  total  probability  of  occurrence  of  each 
type  of  excluded  situation  would  not,  by  best  available  estimate,  exceed 
10~4  per  year. ..." 

Some  key  points  in  the  philosophical  aspects  of  the  NPD  Guidelines  can  be 
readily  observed.    The  NPD  Guidelines  recognize  that  in  the  conceptual  design 
stage,  the  design  is  not  adequately  developed  to  apply  detailed  design 
requirements.    It  requires  that  the  overall  safety  of  a  platform  conceptual 
design  be  evaluated  with  respect  to  certain  accidental  conditions  which  could 
threaten  the  survival  of  the  platform  or  the  personnel.    These  are  called 
"design  basis  accidents"  and  are  required  to  be  considered  at  the  earliest 
phase  of  design. 

Referring  to  the  items  of  hazard  analysis  mentioned  in  the  second  item  in  the 
foregoing,  one  may  find  resemblance  among  other  regulations.    For  example,  in 
the  "Requirements  for  Verifying  the  Structural  Integrity  of  OCS  Platforms" 
issued  by  the  MMS  in  1079,  similar  requirements  are  stated: 

"Considerations  shall  be  given  to  accidental  loading,  and  where 
such  loadings  are  incorporated  in  design,  they  shall  be  quantified." 

The  requirements  then  proceed  to  exemplify  some  of  the  accidents  which  bear 
striking  resemblance  to  the  partial  list  given  in  the  foregoing,  with  the 
exception  of  earthquakes  and  extreme  weather  conditions  which  are  not  regarded 
as  accidents  and  are  covered  elsewhere  in  the  MMS  Requirements. 

The  intention  of  the  MMS  Requirements  is  to  recognize  the  potential  danger  of 
such  accidental  events,  and  to  require  that  they  be  taken  into  account  in  the 
engineering  analysis.    The  particular  logical  tool  employed  by  the  engineer, 
which  may  include  risk  analysis,  is  not  specified. 

In  the  U.S.  Coast  Guard's  regulations  covering  mobile  drilling  units,  and,  to 
some  extent,  compliant  structures,  certain  requirements  aiming  at  reduction  of 
risks  also  exist.    For  example,  requirements  regarding  hazard  warning  systems, 
structural  arrangement  and  equipment  to  provide  adequate  escape  means,  etc., 
can  be  all  grouped  under  the  guiding  principle  of  reduction  of  probability  of 
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hazard  occurrence  and  consequences.  Classification  rules  in  this  regard  generally 
are  compatible  with  the  MMS  and  the  USCG  requirements,  where  applicable. 

The  American  Petroleum  Institute's  "Recommended  Practice  for  Planning,  Designing 
and  Constructing  Fixed  Offshore  Platforms,"  RP  2A,  recommended  that  a  risk 
analysis  be  performed  to  determine  design  environmental  conditions  for  platform 
sites  for  which  environemental  conditions  have  not  been  codified.    This  risk 
analysis  is  to  include  "...the  estimated  cost  of  the  platform  designed  to 
environmental  conditions  for  several  average  expected  recurrence  intervals;  the 
probability  of  platform  damage  or  loss  when  subjected  to  environmental  conditions 
with  various  recurrence  intervals;  the  financial  loss  due  to  platform  damage  or 
loss  including  lost  production,  cleanup,  replacing  platform  and  redrilling  of 
wells,  etc.    As  a  guide,  analyses  have  indicated  that  the  optimum  average 
expected  recurrence  interval  is  several  times  the  planned  life  of  the  platform." 

A  complete  listing  of  relevant  regulations  and  the  governmental  agencies  accorded 
the  mandate  to  regulate  the  U.S.  offshore  oil  and  gas  installation  has  been 
compiled  in  a  report  entitled,  "Safety  and  Offshore  Oil,"  by  the  Committee  on 
Assessment  of  Safety  of  OCS  Activities,  Marine  Board,  Assembly  of  Engineering, 
National  Research  Council  in  1981. 

2.2.2    Analytical  Methods 

There  are  numerous  analytical  methods  employed  in  risk  analysis.    The  methods 
described  in  this  section  exemplify  what  can  be  done  in  light  of  the  present 
state  of  technology  to  satisfy  the  existing  regulatory  requirements  under  the 
overriding  principle  of  reduction  of  risks  and  consequences. 

A  credible  risk  analysis  requires  a  team  effort.    This  team  should  consist  of 
experts  in  hazard  analysis,  experienced  designers,  system  analysts,  platform 
managers,  and  those  trained  in  estimating  consequences.    Most  of  the  analytical 
models  for  risk  analysis  (e.g.,  event  and  fault  tree  techniques,  and  failure 
mode  and  effect  analyses)  are  well  known  and  have  been  successfully  applied  in 
other  industries.    The  detailed  knowledge  of  the  particular  project  and  the 
experience  gained  in  similar  past  offshore  projects  that  the  team  can  assemble 
is  the  significant  part  of  the  risk  analysis  effort.    As  such,  risk  analysis 
should  not  be  viewed  as  an  exercise  in  probability  and  statistics  but  as  an 
opportunity  to  marshal  1  all  resources  (analytical,  engineering,  and  management) 
to  arrive  at  logical  and  rational  decisions. 

2.2.2.1    Analysis  of  Design  Basis  Accidents 

The  primary  objective  of  this  step  is  to  identify  the  possible  undesirable 
consequences  of  the  chain  of  events  that  may  follow  a  specific  event.  The 
following  series  of  analyses  are  generally  pursued. 

»     Event  Selection.    This  step  identifies  consequences  of  a  hazardous  event. 
For  example,  in  case  of  fire,  explosion,  and  surface  blowout,  the  possible 
consequences  are  the  triggering  of  secondary  fire  or  explosion  under  the 
most  unfavorable  wind  conditions,  elimination  of  escape  routes  and 
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equipment,  reduction  of  escape  time,  destruction  of  valves,  pipelines  that 
handle  hydrocarbons,  etc. 

•  Event  Design  Loads.  Determination  of  maximum  accidental  loads  after  the 
occurrence  of  identified  events  which  may  jeopardize  the  survival  of  the 
platform  structure. 

•  Design  Evaluation.    Evaluation  of  the  design  concepts  and  recommendations 
of  necessary  revisions  in  design  to  enhance  the  survivability. 

2.2.2.2    Failure  Mode  and  Effect  Analysis  (RCA) 

The  FMEA  is  intended  to  identify  and  examine  all  possible  features  of  the 
failure  modes  and  their  effects  on  the  major  subsystems  of  an  offshore 
installation.    The  basic  features  generally  include: 

•  a  list  of  the  system  components, 

•  a  list  of  the  functions  of  the  components, 

•  execution  of  a  functions  block  diagram  identifying  the  components  and 
their  functional  interdependences  can  be  considered  as  a  desirable 
preliminary  stage  of  FMEA, 

•  modes  of  failure  which  are  considered  for  each  component, 

•  probable  causes  of  each  failure, 

•  effects  of  each  failure. 

A  rigorous  probabilistic  treatement  of  these  items  may  not  be  within  the  present 
state  of  practice.      However,  engineering  judgement  may  be  exercised,  leading 
to  an  "impact  index"  based  on  the  frequency  of  the  failure  modes  and  their 
severity.    The  impact  index  so  evaluated  can  be  used  to  identify  the  most  severe 
failure  mode  or  modes.    Note  that  severity  in  this  context  is  measured  by  the 
consequences  of  the  failure,  including  its  cost  both  tangible  and  intangible, 
and  by  the  acceptability  of  the  failure  event  to  the  parties  concerned. 

The  typical  failure  modes  of  concern  are  high  severity,  low  frequency  events. 
Low  frequency,  low  severity  failures  are  possibly  inconsequential,  while  low 
severity,  high  frequency  events  are  a  nuisance  and  should  ideally  be  designed- 
out  . 

2.2.2.2    Fault  Tree  Analysis  (FTA) 

The  FTA  is  intended  to  integrate  the  elements  that  stand  alone  in  FMEAs. 
However,  the  FTA  need  not  be  considered  in  relation  to  FMEA,  since  it  can  be 
conducted  independently.    It  is  also  a  convenient  way  to  incorporate  human  error. 
The  fault  tree  connects,  by  means  of  AND  gates  and  OR  gates,  events  which 
contribute  to  the  undesirable  event  of  interest.    It  is  constructed  deductively, 
beginning  with  a  single  specific  undesirable  event,  and  then  systematically 
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identifying  all  known  events  which  could  cause  or  contribute  to  the  occurrence 
of  the  undesirable  event.    If  the  probabilities  of  occurrence  of  the  basic 
events  are  known,  they  can  be  used  to  estimate  the  probability  of  occurrence  of 
the  top  undesirable  event.    Even  if  they  are  not  known,  the  FTA  still  can  be 
helpful  to  the  analyst  in  identifying  the  critical  paths  in  the  system. 
Interactive  software  packages  which  help  in  constructing  the  fault  tree  and 
which  carry  out  the  subsequent  probabilistic  analysis  are  commercially  available. 

3.      PROBLEM  AREAS 

The  discussion  on  available  methods  of  risk  analysis  is  by  no  means  complete. 
It  simply  demonstrates  that  within  the  state  of  technology,  means  of  analysis 
to  satisfy  the  risk  assessment  requires  currently  specified  in  codes  and 
standards  are  available. 

Having  recognized  this,  it  should  be  noted  that,  even  within  the  scope  of 
qualitative  assessment,  the  situation  is  far  from  ideal  and  many  problem  areas 
exist.    It  would  be  pointless  to  argue  the  merits  and  shortcomings  of  the 
methods  of  analysis  without  an  exhaustive  compilation  and  thorough  evaluation 
of  available  methods.    It  is  not  the  intention  of  this  paper  to  provide  the 
final  analysis  in  the  identification  of  problem  areas  which  remain  the  charge 
of  the  other  work  groups.    However,  for  illustration  purposes,  a  critique  of  a 
hypothetical  risk  analysis  employing  the  methods  and  criteria  mentioned  in  the 
foregoing  are  presented  here. 

3.1  INTERACTION  OF  DESIGN  AND  RISK  ANALYSIS 

One  major  difficulty  the  analyst  may  expect  to  encounter  stems  from  human 
sources  rather  than  from  the  process  or  equipment  employed. 

Risk  analysis  is,  in  general,  employed  in  two  ways  by  designers,  analysts,  and 
decisionmakers.    At  the  concept  design  stage,,  risk  analysis  is  used  to  describe 
risks  at  the  system  level,  and  to  gain  an  appreciation  of  the  feasibility  of 
the  concept  from  the  standpoint  of  coping  with  risks.    Risk  analysis  at  the 
concept  design  stage  is  also  useful  in  establishing  design  criteria.  Risk 
analysis  is  employed  in  the  detail  design  stage  to  obtain  some  degree  of  confidence 
that  the  system  as  proposed  provides  the  level  of  safety  desired,  and  to  optimize 
the  design  to  this  end. 

In  both  instances,  the  risk  analysis  is  a  distinct  element  of  project  engineering, 
similar  in  some  organizational  respects  to  the  quality  assurance  function  during 
construction       separate  from  but  a  part  of,  the  engineering  activity. 

3.2  QUANTIFICATION  OF  VARIABLES  AND  THEIR  ROLES  IN  IMPACT  RATING 

The  second  difficulty  relates  to  the  simplicity  of  quantification  in  the  FMEA 
example  discussed  earlier.    By  necessity,  due  to  lack  of  more  precise  data,  the 
complex  issues  like  failure,  hazard,  downtime,  and  defect  have  been  merged  into 
a  single  yardstick  called  "impact".    By  obscuring  the  source  of  contributing 
factors,  this  oversimplified  measure  may  not  be  very  useful  in  providing  guidance 
in  prioritizing  the  various  remedial  actions.    However,  the  basic  idea  of  using 
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small  number  of  parameters  is  sound.    Since  the  term  "impact"  has  been  only 
conceptual  heretofore  and  its  definition  has  been  avoided  for  the  sake  of 
generality,  improvement  within  this  approach  is  possible  by  the  proper  usage  of 
the  impact  parameter.    For  example,  if  cost-effectiveness  in  design  revision 
was  the  one  issue  that  need  guidance  from  this  parameter,  a  system  of  cost 
rating  in  FMEA  similar  to  the  probability  and  effect  rankings  can  be  expressed 
in  terms  of  prevention  cost  as  a  result. 

3.3    QUANTITATIVE  ANALYSIS 

Problems  in  the  area  of  quantitative  risk  analysis  are  much  more  deep-rooted 
and  complex.    Nevertheless,  they  can  be  grossly  categorized  into  two  major 
obstacles,  namely,  the  questions  of  data  base  and  probabilistic  modeling. 

3.3.1    Data  Rase 

In  order  to  address  the  issues  of  data  base,  the  question  of  quantifiabil ity  of 
data  should  be  placed  in  focus.    There  are  data  which  result  from  scientific 
measurements  usually  referred  to  as  "hard"  data.    For  example,  yield  strength 
of  a  steel  or  the  life  of  an  electric  relay  can  be  statistically  quantified  so 
that  the  main  question  in  this  regard  would  be  the  population  of  the  data  pool 
used  in  the  statistical  analysis.    Other  commonly  used  terms  are  safety  or 
design  factor,  bearing  life,  fatigue  life,  etc.    Data  of  this  sort  are  generally 
noncontroversial .    Others  may  be  quantifiable  but,  due  to  a  variety  of  reasons 
such  as  cost  of  data  acquisition  or  the  relative  young  age  of  the  product  which 
precludes  the  existence  of  a  sufficient  data  pool.    Some,  as  a  practical  matter, 
may  not  be  quantifiable  with  usable  accuracy  because  life-dependence  on  specific 
site  or  application  parameters  gives  a  continum  of  populations  --  values  whose 
life  depends  on  corrosivity,  for  example.    For  both  the  latter  situations, 
engineering  judgements  are  needed  to  supplement  or  even  to  replace  data.  In 
such  a  case,  it  is  generally  agreed  that  the  uncertainty  of  data  poses  a  greater 
problem  than  the  bias.    These  are  the  areas  in  which  standardization  of  practices 
through  documents  such  as  API  RPs  (Recommended  Practices)  provide  tremendous 
assistance  to  safe  operations. 

Devices  such  as  the  Delphi  method  or  its  variations  designed  to  cope  with 
experts'  disagreement  are  widely  used  but  have  yet  to  approach  resolution  of 
the  issue.    Finally,  items  such  as  human  behavior  (e.g.,  negligence-related  to 
forgetful ness) ,  human  value  and  human  life  are  extremely  difficult  to  quantify 
and  the  data,  if  any,  may  stand  indefensible. 

In  a  report  "Risk  and  Decision  Making:    Perspective  and  Research,"  prepared  in 
1982  by  the  Committee  of  Risk  and  Decision  Making,  National  Research  Council, 
the  dilemma  of  lack  of  data  of  confidence  in  the  data  available  was  put  in  focus: 

"In  the  debate  on  how  far  to  quantify,  as  in  most  long-standing 
debates,  there  are  errors  of  two  kinds  in  the  balancing  equation: 
a  false  sense  of  precision  with  numbers  may  give  the  impression 
that  more  is  known  than  is  really  known;  and  a  false  sense  of 
impression  without  numbers  may  give  the  impression  that  less  is 
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known  than  is  really  known."    "...If  you  do  not  use  probabilities, 
then  what  do  you  do  and  how  will  it  respond  to  policy  needs?" 

While  a  clear-cut  solution  of  this  dilemma  is  not  available  at  the  present, 
continued  research  appears  to  hold  the  key  to  the  prospect  of  meaningful  use  of 
the  quantitative  risk  analysis.    One  emerging  approach  uses  the  occurrence  and 
frequency  of  timed  events  sets  which  are  parts  of  a  postulated  or  actual 
accidental  process.    Common  events  building  blocks,  with  a  consistent  structure, 
are  used  for  risk  estimates,  task  design,  task  monitoring,  and  mishap  investigation. 
Through  observation  of  task  performance  and  investigations,  occurrence  of 
critical,  timed  events  sets  identified  in  postulated  and  actual  accidents  can 
be  measured  and  their  influence  on  task  outcomes  recorded.    The  approach  lends 
itself  to  Delphi,  observations  or  experimentally  developed  frequency  estimates. 

3.3.2    Probabilistic  Modeling 

Regarding  probabilistic  modeling,  potential  problems  are  again  numerous.  Data, 
whether  they  are  hard  data  or  engineering  judgements,  are  often  not  expressed 
in  terms  of  probabilities  of  failure.    For  example,  the  term  "mean  time  to 
failure"  is  quite  popular.    Translation  between  whatever  measure  being  used  in 
raw  data  to  a  probability  requires  a  proper  postulation  of  the  probability 
density  function  (pdf).    This  must  be  made  with  extreme  caution  since  the  tail 
end  of  the  pdf  is  generally  most  significant  and  potential  inaccuracy  is  enormous 
in  dealing  with  extremely  small  numbers  through  extrapolation  techniques. 
Similar  care  must  also  be  exercised  in  the  probabilistic  modeling  of  a  system 
or  subsystem.    For  example,  the  tendon  string  of  a  tension  leg  platform  appears 
to  be  a  system  of  individual  segments  connected  in  series  (where  the  fatigue 
behavior  of  interconnecting  joints  may  be  critical).    The  collection  of  such 
strings  that  form  a  tendon  group  at  a  corner  of  the  platform  may  be  regarded  as 
a  system  in  parallel.    The  probabilistic  modeling  of  the  two  cases  evidently 
requires  different  treatment.    Theoretical  development  of  this  kind  has  not 
reached  a  stage  of  gaining  universal  acceptance  at  this  time. 

Another  issue  in  statistical  modeling  is  the  problem  of  start-up  failures  or 
aging.    Not  accounting  for  these  would  imply  that  the  percentage  of  systems  in 
operation  at  a  given  time  which  would  fall  in  the  next  interval  of  time  is 
independent  of  time.    In  other  words,  as  long  as  a  system  has  not  failed,  it  is 
as  good  as  new,  an  obviously  nonconservati ve  assumption.    Certain  items  such  as 
reduction  in  strength  due  to  corrosion  wastage  can  probably  be  quantified  albeit 
crudely.    It  is  not  certain  how  others  such  as  the  remaining  effectiveness  of  a 
warning  system  or  the  fatigue  behavior  of  a  structural  system  can  be  properly 
modeled  to  account  for  aging. 

The  hypothesis  of  statistical  independence  of  random  parameters  which  is  so 
commonly  made  for  the  sake  of  convenience  in  analysis,  is  another  potential 
source  of  gross  error.    Strictly  speaking,  as  a  starting  point,  the  joint  pdf 
of  failure  for  all  the  components  must  be  known  and  subsequent  multidimensional 
integration  would  be  required,  a  prohibitive  proposition  as  it  now  stands. 
Without  it,  how  failure  would  be  properly  represented  statistically  remains  an 
outstanding  issue.    However,  it  is  acknowledged  that  partial  solution  to  such 


27 


problems  exists  in  the  structural  reliability  in  that  the  correlation  among 
component  failures  can  be  properly  incorporated  as  is  done  in  some  analysis 
computer  codes. 

4.  DATA  ACQUISITION  AND  RESEARCH  NEEDS 

Assuming  there  are  areas  in  which  the  need  can  be  justified  and  given  the 
numerous  problem  areas  as  discussed  in  the  foregoing,  perhaps  one  proposition 
that  would  meet  universal  agreement  is  the  need  for  more  reliable  data,  a  better 
understanding,  and  better  methods  of  risk  analysis  through  further  research. 
Evidently  the  type  of  data  regarding  the  risks  of  failure  depends  upon  the 
system  under  consideration  and  on  the  method  of  analysis  employed.  Therefore, 
a  systematic  synthesis  of  all  possible  situations  expected  to  be  encountered  in 
a  risk  analysis  would  be  necessary  prior  to  drafting  a  plan  for  the  actual 
gathering  and  analysis  of  data.    In  other  words,  the  identification  of  data 
needed  is  in  itself  a  research  topic.    Even  so,  the  scope  of  such  an  effort  is 
necessarily  limited  to  addressing  data  needs  with  reference  to  existing  approaches 
in  risk  analysis. 

5.  ASSESSMENT 

In  light  of  the  foregoing  discussion  of  the  state-of-the-art,  the  working  group 
offers  the  following  points. 

5.1    VALUE  OF  RISK  ANALYSIS 

Risk  analysis  is  one  of  a  number  of  analytical  processes  or  tools  which  help  to 
give  an  understanding  of  critical  paths  to  system  failure,  and  the  consequences 
of  failure.    This  understanding  improves  the  ability  to  target  design  efforts 
and  safety  resources  to  the  safety  problems  of  greatest  concern.    One  of  its 
major  contributions  is  in  the  description  of  interactions  of  the  elements  of 
the  total  system.    To  the  extent  that  risk  analysis  can  be  done  on  a  quantified 
basis,  the  potential  of  the  analytical  technique  to  aid  in  the  iterative 
processes  of  engineering  design  and  system  safety  is  increased. 

Interest  in  risk  analysis  arises  because  of  the  growing  demand  to  demonstrate 
the  validity  of  plans  for  achieving  an  acceptable  level  of  safety  performance. 
In  any  operation  with  potentially  unacceptable  safety  or  pollution  risks,  the 
parties  who  might  be  harmed,  and  their  representatives  in  government,  desire 
the  party  introducing  the  risks  to  assure  that  reasonable  safety  measures  have 
been  prepared,  and  they  are  likely  to  achieve  the  desired  results.    The  value 
of  risk  analysis  lies,  partly,  in  satisfying  these  concerns.    Risk  analysis, 
like  other  approaches  can  address  interactions  among  people  and  procedures,  the 
handling  of  emergencies,  and  the  range  of  consequences,  as  well  as  hardware  and 
environmental  behavior.    By  asking  different  questions,  using  different  analy- 
tical methods,  and  expressing  outcomes  in  different  terms,  properly  performed 
risk  analysis  may  discover  kinds  of  safety  problems  that  engineering  analyses 
may  not  be  seeking.    Such  a  risk  analysis  would  place  equal  emphasis  on  all 
conditions:  operating,  extreme  environmental  and  accidental  conditions.  Risk 
analyses  done  in  other  industries  (e.g.,  nuclear)  have  shown  that  the  contribu- 
tion to  risk  comes  mostly  from  "smaller  than  design  basis"  events. 
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Risk  analysis  models  may  be  used  in  availability  and  maintainability  studies. 
Risk  analysis  results  may  also  be  used  in  identifying  areas  for  safety  training. 

5.2    USE  OF  RISK  ANALYSIS 

Risk  analysis  may  be  beneficial  for  well-studied  design  concepts  for  which 
extensive  experience  exists.    The  design  of  such  platforms  (e.g.,  in  the  Gulf 
of  Mexico)  may  be  improved  and  mode  consistent  by  using  reliability-based  design 
procedures  (see,  for  example,  The  American  Institute  of  Steel  Constructions' 
draft  Load  and  Resistance  Factor  Design  Specifications  and  the  reports  of  the 
American  Petroleum  Institute  PRAC  Project  81-22). 

Risk  analysis  may  be  especially  useful  for  novel  design  concepts  in  environments 
where  knowledge  and  experience  lack.    The  logical  process  of  risk  analysis 
would  help  identify  important  risks  and  combine  the  experience  gained  in  other 
applications  (e.g.,  Gulf  of  Mexico,  North  Sea)  with  the  unique  features  of  the 
particular  project  in  a  consistent  manner.    Qualitative  risk  analysis  has  been 
in  use  by  the  U.S.  offshore  oil  and  gas  industry  in  these  situations,  especially 
for  concept  formulation  and  design,  in  developing  standards  and  regulations, 
and  in  the  iterative  process  of  engineering  design  and  design  review.    The  U.S. 
offshore  oil  and  gas  industry  also  employs  quantitative  risk  analysis  on  its 
own  initiative,  especially  in  cases  where  the  magnitude  of  corporate  investment 
or  public  interest  makes  it  imperative  that  maximum  safety  precautions  be  taken. 

The  Norwegian  Petroleum  Directorate  requires  that  formal  safety  analysis  methods 
be  employed  to  demonstrate  that  proposed  concepts  meet  stated  performance 
criteria.    Thus,  the  NPD  regulations  are  performance  based.    In  fact,  wherever 
NPD  regulations  depart  from  a  performance  approach,  requirements  are  set  forth 
as  guidelines.    The  issue  before  this  working  group  then  narrows  to  the  question 
of  the  extent  to  which  quantitative  risk  analysis  should  be  relied  on  in  U.S. 
standards  and  regulations.    The  answer  to  this  question  is  found  in  the  way 
U.S.  standards  and  regulations  are  developed. 

The  engineering  profession,  which  serves  both  industry  and  government,  has  long 
recognized  the  need  to  provide  self  regulation  and  guidance  to  ensure  the 
maintenance  of  professional  standards  of  design  and  construction.    The  engineer- 
ing profession  and  industry  have  historically  joined  together  in  voluntary 
actions  to  produce  a  wide  range  of  consensus  standards.    Many  organizations 
participate  in  creating  these  documents  --  USCG,  MMS,  industry  organizations 
such  as  API  and  ABS,  as  well  as  professional  societies  like  ASMF  and  other 
standards  writing  organizations. 

Where  feasible,  standards  are  performance  based,  to  allow  for  technological 
development  and  innovation.    For  its  part,  government  has  relied  to  a  great 
extent  on  industry  self-regulation,  and  has  incorporated  standards  by  reference 
in  the  regulations  governing  OCS  operations.    Thus,  the  extent  to  which  risk 
analysis  is  relied  on  today  in  industry  standards  and  government  regulations  is 
a  reflection  on  the  extent  to  which  risk  analysis  has  been  incorporated  into 
standard  engineering  practice.    Its  use  is  growing  in  both  instances.  However, 
it  should  be  noted  that  some  in  the  working  group  hold  the  view  that  not  enough 
risk  analysis  is  incorporated  into  engineering  practices  or  taught  to  engineers 
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at  present,  and  that  this  may  hinder  application  of  risk  analysis  to  projects 
in  the  future. 

5.3  NEED  FOR  IMPROVED  UNDERSTANDING 

There  is  a  need  to  develop  a  lexicon  of  terminology  and  methods  concerning  risk 
analysis,  so  that  practictioners  can  communicate  with  one  another,  and  so  that 
the  results  of  different  investigators  are  comparable.    An  effective  way  of 
promoting  consistency  between  different  risk  analyses  is  for  the  industry  to 
develop  a  set  of  acceptable  procedures;  such  a  procedure  guide  identifies 
acceptable  methods  for  performing  various  tasks  of  risk  analysis,  suggests  data 
sources,  and  compiles  experience  and  insights  gained  in  recent  risk  studies. 
It  would  aid  the  oil  company  manager  to  plan  a  risk  analysis  in  terms  of  man- 
power, schedule  and  costs  and  would  also  make  him  cognizant  of  the  type  and 
use  of  risk  analysis  results. 

Some  of  the  reluctance  of  engineers  to  employ  risk  analysis  to  a  greater  extent 
is  a  reflection  of  a  popular  lack  of  understanding  and  misconception  concerning 
the  nature  or  risk,  risk  analysis,  and  risk  assessment.    The  need  for  education 
about  risk  analysis  is  real,  and  is  a  matter  for  priority  attention.  The 
professional  community  also  requires  a  sounder  view  of  risk  analysis  and  more 
accessibility  to  knowledge  and  information  in  this  regard. 

There  is  some  evidence  that  more  extensive  use  of  quantitative  risk  analysis 
and  improved  understanding  of  how  the  results  can  be  used  can  lead  to  a  relaxa- 
tion of  specific  regulations.    Thus,  risk  analysis  is  very  supportive  of 
performance  based  regulation. 

Regulatory  agencies  have  to  reach  an  accommodation  on  criteria  for  acceptability 
of  the  operators,  the  standards  setting  bodies,  and  the  general  public.  Over 
time,  with  improved  understanding  the  divergent  viewpoints  concerning  accepta- 
bility converge,  but  they  do  so  slowly.    Risk  analysis  may  help  the  regulatory 
agencies  make  and  justify  tradeoff  decisions  that  are  their  responsibility, 
yet,  more  than  risk  data  are  needed  to  bring  about  the  convergence  of  views 
about  what  constitutes  an  acceptable  risk.    As  demonstrated  by  the  U.S.  experi- 
ence with  nuclear  power,  operating  experience  must  demonstrate  that  the  esti- 
mates were  reasonably  trustworthy  and  did  not  misrepresent  the  experience. 
Confidence  in  the  analysts  is  imperative  for  the  convergence  to  occur,  as  it 
has  to  a  large  degree  in  the  field  of  hazardous  materials  transportation. 

5.4  LIMITATIONS  ON  THE  USE  OF  RISK  ANALYSIS 

Risk  analysis  is  a  logical  process  of  bringing  together  everything  the  risk 
analysis  team  knows  about  a  major  facility.    It  reduces  a  complex  problem  into 
components  for  which  we  may  have  combinations  of  data,  models,  and  experience. 
The  exercise  of  engineering  judgement  is  best  done  at  the  component  level 
throughout  the  analysis.    Risk  analysis  does  not  preclude  the  use  of  engineer- 
ing judgement.    In  fact,  it  calls  for  a  visible  and  defendable  use  of  judgement. 
Modern  risk  analysis  in  the  Rayesian  statistical  framework  is  founded  on  such  a 
use  of  experience  and  expert  judgement. 
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Some  doubts  have  been  raised  as  to  the  capability  of  risk  analysis  to  identify 
risks  that  traditional  engineering  practice  cannot  identify.    This  may  be  so 
for  simple  and  well-studied  concepts.    The  collective  experience  of  the  industry 
has,  in  fact,  over  several  applications,  recognized  these  significant  risks. 
However,  for  complex  and  novel  projects,  an  unstructured  approach  has  less 
chance  of  identifying  dominant  risks.    The  analytical  tools  exist  for  this 
purpose  and  it  behooves  the  industry  to  take  full  advantage  of  them. 

Human  error  is  nearly  always  present  in  events  which  lead  to  accidents,  and 
which  are  described  through  risk  analysis.    Human  performance  can  be  described 
statistically.    Significant  progress  has  been  made  in  the  study  of  human 
reliability  in  other  industries.    Operator  performance  under  different  stress 
conditions  is  being  studied  probabilistically.    Techniques  are  also  available 
to  judge  the  significance  of  gross  design,  construction,  and  inspection  errors. 
Nevertheless,  much  work  remains  to  be  done  in  this  area. 

The  ability  to  quantify  risks  depends  on  the  availability  of  safety  data, 
including  data  on  frequency  of  system  and  component  failures,  data  relative  to 
exposure,  and  data  on  consequences  of  failure.    Creation  of  broad  data  bases  is 
a  task  that  is  larger  than  any  one  project  or  company.    Such  data  would  need  to 
be  assembled.    The  working  group  notes  two  contructive  developments. 

1.  A  reliability  data  base  on  equipment  in  use  in  the  North  Sea  is  nearing 
completion  (OREDA  project). 

2.  The  safety  data  situation  in  the  U.S.  has  recently  been  assessed  by  the 
Marine  Board  (Safety  Information  and  Management  on  the  OCS,  1984).  The 
committee  authoring  the  report  recommended  that  the  Minerals  Management 
Service  establish  an  OCS  safety  information  system  for  acquiring  compre- 
hensive event  and  exposure  data,  calculating  frequency  and  severity  rates, 
and  analyzing  trends. 

As  described  above,  lack  of  understanding  is  a  barrier  to  further  use  of 
quantitative  risk  analysis  in  the  U.S.    This  problem  needs  to  be  addressed  at 
the  national  level . 

A  number  of  limitations  have  been  reviewed.    Some  are  inherent  in  the  analytical 
tools.    Others,  such  as  lack  of  data,  can  be  remedied.    Still  others  are  due  to 
misapplications  of  analytical  tools  by  the  analysts,  or  misinterpretation 
(misuse)  of  results. 

5.5    DEVELOPMENT  IN  THE  STATE  OF  PRACTICE  OF  THE  OFFSHORE  OIL  AND  GAS  INDUSTRY 

Industry  needs  to  gain  experience  and  understanding  in  risk  analysis.  Greater 
familiarity  will  come  with  increased  use,  because  risk  analysis  improves  our 
understanding  of  system  level  interactions  and  critical  paths  to  failure,  hence 
it  can  be  used  to  improve  safety. 

As  the  use  of  risk  analysis  becomes  more  widespread,  industry  standards,  etc., 
will  need  to  be  revised  to  provide  for  the  use  of  risk  analysis  as  an  alternate 
analytical  technique.    This  is,  in  fact,  already  occurring.    An  instance  cited 
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by  some  working  group  members  is  the  draft  reliability-based  specification  for 
steel  structures  by  the  American  Institute  of  Steel  Construction. 

5.6    DEVELOPMENT  IN  THE  STATE  OF  PRACTICE  OF  GOVERNMENT 

The  following  problem  area  cited  by  the  working  group  requires  immediate 
attention. 

•  Need  for  lexicon  of  terminology  and  risk  analysis  methods. 

•  Need  for  data  on  frequency  of  loss,  exposure,  and  consequences  of  loss. 
(A  related  matter  is  the  possibility  of  making  company-sensitive  risk 
studies  more  widely  available  in  an  anonymous  fashion.) 

•  Need  for  training  of  practitioners. 

The  top  level  intent  of  the  Norwegian  approach  is  to  require  formal  system 
safety  planning.    The  Norwegian  approach  strives  to  get  industry  to  develop  and 
implement  a  plan  to  achieve  an  adequate  safety  performance  level,  and  requires 
industry  to  demonstrate  an  adequate  supporting  safety  analysis  for  government 
review.    In  other  words,  risk  analysis  provides  a  way  to  conform  to  the 
government's  safety  analysis  mandates. 

Elements  of  the  U.S.  Departments  of  Energy  and  Defense  are  approaching  the 
achievement  of  adequate  safety  performance  in  a  somewhat  similar,  nonregula- 
tory  way.    Regulatory  agencies  within  the  U.S.  Department  of  Transportation 
have  used  risk  analyses  in  the  evaluation  of  alternative  state  and  municipal 
regulatory  actions.    Consistent  with  the  fabric  of  the  U.S.  regulatory  system, 
offshore  risk  analysis  will  enter  into  offshore  oil  and  gas  standards  and 
regulations  coincident  with  the  extent  of  its  acceptance  and  use  by  industry. 
There  is  no  reason  to  depart  from  the  historical  practice  in  the  regulation  of 
offshore  oil  and  gas  of  incorporating  industry-developed  standards  into  govern- 
ment regulations  by  reference.    As  industry  includes  risk  analysis  in  it 
industry-developed  standards,  government  should  continue  to  reference  such 
standards  in  its  regulations.    Over  time,  risk  analysis  will  be  used 
increasingly,  in  concert  with  the  experience  base,  in  setting  standards  and 
regulations,  and  in  demonstrating  compliance.    The  only  reason  to  depart  from 
historical  practice  would  be  if,- in  the  future,  the  safety  record  is  deemed 
unacceptable,  and  a  government  requirement  for  additional  risk  analysis  offered 
some  hope  of  improvement.    In  view  of  the  apparent  good  overall  safety  perfor- 
mance record  of  the  industry,  any  government  consideration  for  the  use  of  risk 
analyses  should  be  carefully  scrutinized  to  assure  that  its  use  is  limited  to 
particular  areas  where  its  benefits  outweigh  its  costs.    For  example,  large 
potential  losses,  new  technology,  high-risk  areas  of  operations,  or  repetitive 
safety  problem  areas  could  be  likely  candidates  for  its  use. 

There  is  no  rationale  in  the  U.S.  for  establishing  quantitative  levels  of 
performance  at  this  time.    U.S.  regulators  have  to  keep  in  mind  the  diverse 
conditions  in  the  U.S.,  which  have  led  to  a  two-track  engineering  design  and 
regulatory  system  (as  refleted  in  RP  2A  and  the  Verification  Program)  to  address 
both  less  complex  installations  for  shallow  water  in  the  Gulf  of  Mexico  and  all 
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other  systems.    Quantitative  risk  analysis  is  already  being  applied  selectively 
on  projects  in  the  "all  other"  category  because  of  the  magnitude  of  the  risks 
invol ved. 

6.      CONCLUDING  REMARKS  -  OPPORTUNITIES  FOR  IMPLEMENTATION  AND  APPLICATION 

The  foregoing  discussion  can  now  be  summarized  in  simple  terms.    The  operation 
of  an  offshore  oil  and  gas  installation  involves  numerous  risks.  Therefore, 
minimizing  risks  by  identifying  risks  of  loss,  reducing  their  probabilities  of 
occurrence  and  alleviating  their  consequences  provides  an  attractive  framework 
for  increasing  the  safety  of  offshore  installations.    Presently,  standards  and 
codes  that  deal  with  safety  of  offshore  structures  have  begun  to  identify  the 
issues  of  risk  and  there  are  reasons  to  believe  that  standards  and  regulations 
may  play  an  increasingly  significant  role  in  risk  analysis.    Another  construc- 
tive development  is  the  use  of  risk  analysis  in  the  development  of  standards 
which  have  a  deterministic  format. 

The  state  of  practice  in  standards  and  regulations  remains  largely  at  the  level 
of  performance-oriented  requirements  compliance  with  which  may  be  fulfilled  by 
qualitative  risk  assessments.    This  would  require  that  the  treatment  of  failure 
be  approached  at  a  system  level.    In  other  words,  consideration  of  events  that 
are  part  of  the  accidental  loss-producing  process  should  be  carried  out  for  the 
entire  process,  rather  than  being  viewed  as  isolated  events  during  the  design 
process.    On  this  basis,  even  a  qualitative  description  at  the  system  level  can 
succeed  in  identifying  unacceptable  interactions  that  must  be  changed  at  an 
early  stage  of  design,  given  the  state-of-the-art.    In  this  manner,  conformance 
with  existing  requirements  in  standards  and  regulations  cast  in  their  present 
limited  scope  is  possible. 
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CONCEPT  EVALUATION  AND  DESIGN 


REPORT  OF  WORKING  GROUP  II 

SCOPE 

The  scope  of  Working  Group  II  is  the  application  of  risk  analysis  and  relia- 
bility engineering  techniques  to  the  planning,  design,  construction,  inspection 
and  maintenance  of  offshore  oil  and  gas  production  structures.    This  group  did 
not  consider  topside  facilities  or  support  activities. 

GENERAL  COMMENTS 

Risk  is  the  potential  for  the  realization  of  unwanted  negative  consequences  of 
an  event.    A  complete  risk  analysis  should  contain  two  components  -  a  risk 
determination  which  includes  event  identification  and  quantitative  estimation 
of  probabilities  and  risk  evaluation  which  presumes  a  level  of  acceptability 
and  includes  value  judgements. 

Risk  determination  for  complex  structures  such  as  used  in  the  offshore  industry, 
has  three  components: 

Hazard--Vulnerabil ity--Consequences 

A  hazard  is  a  natural  or  man-made  phenomenon  that  may  induce  unwanted  events 
and  may  include  storms,  mudslides,  fire,  collision,  dropped  objects,  excessive 
operating  demand,  poor  fabrication,  etc. 

The  impact  of  a  hazard  depends  on  the  vulnerability  or  whether  the  system's 
capacity  is  exceeded  by  the  demand  of  the  hazard.    If  demand  exceeds  capacity, 
damage  occurs.    The  consequences  depend  on  the  system  exposure  in  terms  of 
lives,  property,  and  environmental  losses.    A  complete  risk  analysis  should 
incorporate  uncertainties  in  hazard  (severity  and  frequency),  vulnerability 
(for  both  serviceability  and  major  damages)  and  consequences  (tangible  and 
intangible. ) 

It  has  been  difficult  within  offshore  developments  to  quantify  overall  risks 
because  the  uncertainties  include  many  natural  phenomena  (wind,  wave,  soil 
properties,  etc.).    Published  applications  have  focused  on  utilizing  risk 
analysis  to  promote  rational  trade-offs  between  alternatives  in  a  decision 
framework.    It  is  widely  accepted  that  there  is  no  risk-free  operation  especially 
in  technically  innovative  developments.    But  as  one  author  aptly  put  it  in  the 
title  of  his  paper,  "No  Risk  May  be  the  Greatest  Risk  of  All." 

In  the  context  of  offshore  structures,  risk  applications  have  been  referred  to 
as  structural  reliability  analyses  that  include  the  following  steps.  Relevant 
load  (demand)  and  strength  (capacity  or  resistance)  random  variables  are 
identified.    Performance  data,  and  relevant  informatiion  for  each  variable  is 
then  collected.    Data  can  be  either  qualitative  or  quantitative.    In  the  next 
step,  probabilistic  descriptions  for  demand  and  capacity  are  constructed. 
Then,  various  levels  of  probabilistic  techniques  may  be  used  to  compute  or 
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estimate  risks.    Basically,  reliability  analysis  is  an  attempt  to  assign  a 
measure  of  safety  which  reflects  the  uncertainties  in  the  analysis.  Subsequent 
applications  may  apply  economic  and  other  trade-offs  to  arrive  at  an  appropriate 
design  decision. 

A  general  reference  for  offshore  reliability  methods  is  "Application  of 
Reliability  Methods  in  Design  and  Analysis  of  Offshore  Platforms"  by  the  ASCE 
Committee  on  Reliability  of  Offshore  Platforms,  Journal  of  Structural  Engineering, 
ASCE,  Vol.  109,  No.  10,  Oct.  1983. 

1.    STATE  OF  PRACTICE 

Considerable  probabilistic  analysis  is  done  in  offshore  engineering  within 
individual  disciplines  such  as  oceanography,  marine  soils,  weld  quality,  etc. 
It  can  be  shown  (in  reliability  theory)  that  treating  each  topic  in  isolation 
and  independently  assigning  design  values  to  each  variable  produces  reliabilities 
which  may  vary  considerably  from  project  to  project.    The  integration  of  these 
specific  discipline-oriented  studies  into  a  single  risk  projection  is  needed 
but  it  is  difficult  in  offshore  engineering  because  of  the  varying  qualities  of 
the  different  data  bases.    Some  integration  has  nevertheless  been  carried  out 
for  specific  projects  and  also  more  generally  for  the  development  of  structural 
design  specifications. 

There  were  many  examples  reported  at  the  workshop  on  the  effective  use  of 
reliability  analysis  in  offshore  design  problems.    Four  categories  of  application 
were  identified,  1)  before  design,  2)  during  design,  3)  during  construction, 
and  4)  during  operation.    A  brief  description  follows: 

Before  design. 

1)  Gulf  of  Mexico  wave  forces  and  selection  of  design  wave  heights.    In  this 
early  study,  the  reliability  techniques  were  used  to  establish  rational 
design  criteria  for  wave  loadings.    The  analysis  included  existing  perfor- 
mance data. 

2)  Gulf  of  Alaska  design  earthquake  and  wave  height  conditions.    This  develop- 
ment is  similar  to  the  Gulf  of  Mexico  wave  force  study  except  that  it  also 
considered  regional  seismicity  and  the  possible  interactions  within  the 
criteria  selection  process  of  these  two  hazards  (wave  and  earthquake). 

3)  Canadian  EIS,  design  ice  loads.    Risk  and  reliabiltiy  techniques  were  used 
in  the  determination  of  reasonable  design  ice  loads  for  fixed  production 
structures  in  the  Canadian  Beaufort  Sea.    One  operator  in  the  Beaufort 
Sea  had  used  deterministic  methods  to  establish  ice  loads  due  to  ice  flow 
impacts.    The  design  loads  were  reviewed  using  reliability  analysis  and  it 
was  found  that  they  were  overly  conservative. 

4)  Ice  forces  and  resistances  reliability  -  A  reliability  study  for  the 
Beaufort  Sea  examined  various  types  of  structures  and  compared  alternatives 
based  on  cost  and  risk. 
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5)  Troll  development  (offshore  Norway).    Again,  alternatives  were  compared  using 
risk  analysis  to  evaluate  the  best  structural  concept. 

6)  Hutton  TLP  analysis.    Studies  have  been  reported  using  system  reliability 
methods  to  compare  various  structural  forms  related  to  this  innovative 
concept. 

7)  API-LFRD  specification  development. 

8)  API  fatigue  reliability  study. 
During  design. 

1)  Hibernia  development  -  used  risk  methods  to  compare  gravity  based  versus 
floating  structures. 

2)  Troll  alternatives  -  detailed  design  criteria  development. 

3)  Foundation  factors  of  safety  for  Southern  California  platforms  in  an 
intense  earthquake  zone. 

4)  North  Sea  gravity  structure  foundation  penetration  criteria. 
During  construction. 

1)  Reliability  analysis  of  underdriven  piles  for  a  Gulf  of  Mexico  structure. 

2)  Criteria  established  for  tow  routes  on  transocean  tows,  i.e.,  Atlantic  vs. 
Pacific,  etc. 

During  operations. 

1)  Sitting  jackup  drill  units  in  Norton  Sound  and  Lower  Cook  Inlet. 

2)  Inspection  strategies  for  North  Sea  platforms. 

3)  Remedial  construction  -  In  this  early  example,  one  company  utilized  reliability 
analysis  to  select  remedial  strategies  for  modifying  existing  structures. 

4)  Damage  to  structure  caused  by  dropped  pile.    This  study  and  several  similar 
ones  have  utilized  reliability  methods  to  evaluate  damage  tolerance.  Among 
the  considerations  are  system  capacity,  repair  schedules  and  further  inspec- 
tion alternatives. 

5)  Platform  damage  repair  alternatives  in  the  Cook  Inlet. 

Many  of  the  examples  cited  above  are  for  unusual  applications  such  as  projects 
in  frontier  areas  with  regard  to  both  geography  and  concept.    Most  of  these 
special  studies  were  not  comprehensive  or  technically  rigorous,  but  for  the 
most  part  used  for  economic  and  safety  decision  analysis.    It  would  be  a  mistake 
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to  assume  that  any  of  the  studies  is  developed  to  a  level  suitable  for 
routine  application. 

One  important  characteristic  of  the  work  is  the  involvement  by  designers  in  the 
trade-off  studies.    In  all  cases,  the  consequences  of  failure  were  established 
and  incorporated  in  the  design  of  the  overall  system.    In  this  regard,  the 
following  priorities  were  noted,  a)  safety  to  the  personnel  involved,  b)  minimize 
risk  to  environment,  c)  and  minimize  the  economic  risk.    In  some  instances,  the 
studies  recommended  further  data  gathering  to  fill  in  the  major  uncertainty 
gaps  or  else  control  mechanisms  during  operation  to  reduce  risk  consequences. 

The  studies  discussed  seemed  to  be  characterized  by  a  willingness  to  admit  to 
large  uncertainties  especially  in  modeling  new  phenomena.    Such  large  gaps  in 
the  technology  could  still  be  treated  by  reliability  techniques  because  the 
studies  were  not  inhibited  by  any  risk  target  goals.    Also,  the  studies  were 
generally  conducted  in  a  design  rather  than  a  verification  situation.    The  work 
was  performed  either  by  design  oriented  engineers  also  knowledgeable  in  structural 
reliability  theory  or  by  designers  assisted  by  experts  in  this  area.    In  summary, 
reliabiltiy  analysis  has  to  be  used  with  the  reason  and  within  its  range  of 
applicability  and  limitations. 

2.    PROBLEM  AREAS 

The  following  barriers  to  implementation  of  reliability  analysis  in  offshore 
construction  can  be  identified. 

1)  Organizational  and  communication  problems.    This  is  at  the  top  of  the  list. 
Within  the  oil  companies  as  in  other  industries,  there  is  a  wide  range  of 
familiarity  with  reliability  methodology  and  the  aims  and  application  of 
risk  analysis.    There  can  be  substantial  differences  in  how  reliability 
results  could  be  interpreted.    There  are  also  problems  with  integration; 
companies  and  design  teams  have  different  risk  management  perspectives. 

2)  The  present  state-of-the-art  and  the  available  information  preclude  the 
use  of  rigorous  reliability  analysis. 

a)  Often  there  is  simply  not  enough  data  available  to  perform  a  detailed 
reliability  analysis. 

b)  In  some  cases  the  theory  has  not  yet  been  developed.    For  example, 
there  is  a  need  of  good  system  reliability  methods.    Most  studies 
concentrate  on  well-defined  damage  modes  usually  involving  a  single 
event.    The  system  risk  involves  the  complex  interrelationships  and 
correlations  of  different  events.    Failure  event  models  are  needed 
for  identifying  and  defining  redundancy  and  incorporating  inspection, 
quality  control,  and  quality  assurance  resources  in  the  risk  assessments. 

c)  Engineering  judgements  must  be  made  with  regard  to  the  methodology  of 
analysis  and  also  with  regard  to  professional  modeling  uncertainties. 
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d)    Human  Errors  -  Many  if  not  most  reported  failures  are  due  to  hazards 
and  events  which  are  not  traditionally  considered  in  the  design  or  con- 
ception stage.    In  particular,  human  errors  are  frequently  responsible 
for  major  catastrophies  but  these  are  often  difficult  to  model  or  even 
identify  before  the  accident  event.    Recent  studies  on  quality  assurance 
have  begun  to  report  statistical  data  on  human  errors  in  design, 
inspection  and  construction.    In  additon,  guidelines  are  beginning  to 
emphasize  creation  of  damage  scenarios  in  which  possible  hazards  are 
identified  at  the  project  conception  stage. 

3)  Motivation  can  be  a  barrier  to  implementation.    For  example,  mandatory 
imposition  of  reliability  methods  has  tended  to  produce  solutions  to  satisfy 
the  regulations  rather  than  aid  the  design  decision  process.    This  could 
inhibit  initiative  and  creativity  and  lead  to  exercise  in  formalistic  non- 
sense. 

4)  There  is  an  issue  of  exceptions,  i.e.,  what  one  thinks  is  going  to  be  the 
result  of  the  analysis  and  how  it  will  be  perceived  by  others.    In  most 
studies,  reliability  (or  risk)  represents  a  convenient  measure  of  safety. 
It  has  only  a  limited  accuracy  in  an  actuarial  (statistical)  sense,  since 
only  the  relative  (not  absolute)  risks  between  different  hazards  may  be 
correct.    In  order  to  permit  precise  utilization  of  risk  as  a  trade-off 
criterion  between  a  variety  of  different  concepts,  all  aspects  of  control 
or  construction  activities  would  need  more  accurate  risk  assessment.  This 
requires  considerably  more  data  as  well  as  improved  reliability  techniques 
than  are  now  available. 

In  summary,  reliability  analysis  is  still  in  an  evolutionary  stage,  especially 
for  evaluating  new  concepts  with  significant  technological  uncertainties. 
Because  of  the  limitations  cited  above,  there  was  considerable  concern  expressed 
that  a  risk  analysis,  as  part  of  a  certification  process,  would  be  counter- 
productive.   While  the  operator  has  the  obvious  responsibility  to  ensure  public 
safety,  the  control  mechanism  must  be  meaningful.    At  this  stage,  reliability 
analysis  simply  has  not  been  refined  to  the  point  where  meaningful  computations 
of  probabilities  of  failure  can  be  performed.    There  is  concern  that  some 
interpretations  of  regulations  such  as  the  new  NPD  requirements,  will  contribute 
to  the  "paralysis  by  analysis"  syndrome.    Discussions  at  the  Workshop  indicated, 
however,  that  in  fact  the  NPD  requirements  may  be  interpreted  with  a  practicality 
that  balances  economy  and  constructive  safety  strategies.    An  additional  problem, 
however,  is  that  excessive  efforts  to  compute  reliability  would  dilute  manpower 
and  may  in  fact  decrease  safety  by  directing  effort  from  all  the  design  safety 
issues  to  only  those  that  are  amenable  to  reliability  analysis. 

3.    DATA  ACQUISITION  AND  RESEARCH  NEEDS 

The  previous  section  described  limitations  in  current  risk  studies  and  emphasized 
that  reliability  must  be  viewed  as  a  dynamic  quantity  ever-changing  during  a 
project's  lifetime.    Reliability  is  not  a  single  target  at  which  we  aim  but 
rather  a  process  by  which  we  identify  areas  for  investigation  and  control. 
Possible  responses  include  allocation  of  material  and  human  resources  within 
the  system,  such  as  redundancy,  inspection,  quality  assurance,  and  damage 
mitigation. 
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Within  this  scope  there  are  specific  research  needs  for  studies  on: 

1)  Data;  some  examples  are:    statistics  on  soil  behavior  and  foundation 
capacity,  fatigue  including  initial  flaw  distributions  and  probability 
of  detection,  environmental  descriptions,  e.g.,  joint  distributions  of 
wave  height,  period,  directionality,  current,  wind,  etc.,  ultimate 
strengths  (not  deterministic)  of  systems,  etc. 

With  regard  to  data,  many  of  the  effective  applications  of  reliability 
analysis  are  unusual,  and  it  is  not  easy  to  anticipate  the  data  needs. 

2)  Technological  improvements  to  reduce  modeling  uncertainties.  Example 
include  soil  structure  interaction  and  design  factors  associated  with 
seismic  analysis  and  fatigue.    In  more  typical  applications  it  is 
possible  to  use  experience  (e.g.,  Bayesian  updating  methods)  to  reduce 
the  modeling  error.    In  other  cases,  modeling  error  can  only  be 
identified  and  reduced  by  experimentation. 

3)  Reliability  theory.    This  would  include  (a)  system  reliability  models 
to  assess  redundancy  (b)  load  combinations,  i.e.,  multi-hazard  loading 
probability  models  and  (c)  applications  of  control  concepts  to  mitigate 
damages. 

4)  Gross  errors  and  blunders.    This  could  be  addressed  by  the  expansion 
of  quality  assurance  procedures  to  address  hazards  which  in  fact  may 
be  the  most  common  contributors  to  risk.    Use  of  Bayesian  decision 
tools  and  expert  system  philosophy  could  assist  in  these  controls. 

A  question  was  raised  as  to  what  would  be  the  best  effective  mechanism  to  do 
the  research.    Industry  pooling  of  experiences  and  data  certainly  would  be 
helpful  but  this  approach  has  been  impeded  by  practical  legal  problems.    In  the 
past,  the  Marine  Board  has  provided  support  for  projects  for  synthesizing  data. 
The  Interagency  Ship  Structures  Committee  also  supports  some  projects,  but  it 
is  a  small  effort.    The  American  Petroleum  Industry  has  also  funded  reliability 
oriented  projects  such  as  the  LRFD  and  the  fatigue  project.    These  have  been 
good  vehicles  for  disseminating  probabilistic  information.    In  addition,  there 
are  the  professional  groups  such  as  the  ASCE  offshore  reliability  committee  and 
conference  and  workshop  proceedings. 

4.    OPPORTUNITIES  FOR  IMPLEMENTATION  AND  APPLICATION 

This  item  is  clearly  the  most  difficult  since  risk  analysis  should  avoid 
becoming  simply  another  acceptance  hurdle.    That  is,  a  program  which  one  accepts 
in  theory  but  doesn't  like  because  it  impedes  progress  while  having  little  to 
do  with  the  design  concept.    The  primary  goal  of  structural  reliability  analysis 
is  to  use  reliability  methods  as  a  design  and  decision  tool  for  assisting  in 
rationally  making  necessary  and  inherent  trade-offs.    Demonstration  projects  of 
risk  analysis  are  needed  in  which  costs  as  well  as  benefits  are  expressed  and 
the  flexibility  rather  than  the  rigidity  of  risk  analysis  is  emphasized.  Oppor- 
tunities need  to  be  taken  to  assess  trade-offs  in  concepts,  design  criteria, 
redundancy,  material  selection,  design  veification,  inspection  scheduling,  etc. 
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Implementation  projects  should  account  for  the  differences  between:    (a)  projects 
with  significant  historical  performance  experience  and  hence  updated  (Bayesian) 
parameter  estimates,  and  (b)  those  projects  with  significant  innovation  which 
need  to  emphasize  quality  assurance  including  concept  risk  evaluation. 

In  summary,  demonstration  projects  illustrating  the  implementation  of  risk 
analysis  should  contain  the  following  ingredients: 

A.  Willing  participation  of  owners,  designers,  regulators  and/or 
researchers. 

B.  Realistic  applications  including  examples  in  frontier  areas  as  well  as 
the  more  developed  offshore  areas  where  there  exists  a  considerable 
body  of  experience. 

C.  Potential  for  trade-offs  between  design,  material,  inspection,  and 
insurance  costs. 

Specific  efforts  to  facilitate  implementation  include  the  following: 

1)  Improved  communication.    The  people  that  need  to  be  convinced  of  the 
usefulness  of  risk  analysis  can  only  be  converted  over  a  long  period 

of  time.    Projects  such  as  those  sponsored  by  the  API,  industry  cooper- 
ative studies,  and  government  research  programs  have  all  been  very 
effective  in  promoting  reliability  analysis  in  this  regard. 

2)  Design  specification  changes.    Although  this  aspect  is  covered  in 
Group  I  it  is  clear  that  such  efforts  also  help  motivate  the  reliability 
studies  on  concept  evaluation. 

3)  A  review  situation  which  encourages  rather  than  retards  innovation 
should  be  maintained.    Third  party  reviewers  should  also  be  encouraged 
to  perform  their  own  risk  analysis,  but  within  the  same  framework  and 
goals  as  the  producer. 
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OPERATIONS  AND  MAINTENANCE 


REPORT  OF  WORKING  GROUP  III 


INTRODUCTION 

The  term  "risk  analysis"  has  recently  come  into  wide  usage,  but  it  is  important 
to  note  that  the  meaning  attached  to  this  term  varies  according  to  its  applica- 
tion and  that  a  standard  definition  which  would  encompass  its  wide  scope  would 
be  cumbersome.    In  this  paper,  the  term  "risk"  will  be  used  to  refer  to  the 
likelihood  of  occurrence  of  events  which  would  have  adverse  consequences  upon 
the  safety  of  people,  the  environment,  or  economic  resources.    In  order  to 
specify  risk,  one  must  specify  the  undesirable  event  being  considered,  the 
likelihood  of  occurrence  of  this  event  in  a  given  area  over  a  given  period  of 
time,  and  the  likely  consequences  of  the  event  in  terms  of  value  or  degree  of 
losses  which  might  be  incurred.    The  likelihood  of  occurrence  of  the  undesirable 
event  can  be  expressed  qualitatively,  (e.g.,  rare,  occasional,  frequent)  or 
expressed  quantitatively  as  a  normalized  frequency  or  probability.    The  conse- 
quences of  an  event  can  also  be  expressed  qualitatively  (e.g.,  severe  or  minor) 
or  quantitatively  (e.g.,  economic  loss,  fatality  rate,  or  incidence  of  ill 
health).    The  term  "risk  analysis"  will  be  used  to  describe  the  process  of 
identifying  undesirable  events  and  characterizing  the  causes  and  effects  of 
"hazards".    A  "hazard"  is  a  substance,  situation,  or  event,  which  has  the 
potential  to  cause  harm  directly  or  initiate  a  sequence  leading  to  harm. 
Hazards  could  include  chemical  spills,  the  release  of  harmfull  or  explosive 
vapors,  falling  objects,  leaking  valves,  etc.    The  effects  of  the  hazards  are 
determined  by  estimating  the  consequences  to  people,  the  environment,  and 
the  economic  resources  of  the  investors. 

The  term  "risk  assessment"  will  be  used  to  refer  to  the  whole  process  of  risk 
analysis  and  the  evaluation  of  the  results  of  the  risk  analysis  against  techno- 
logical capabilities,  economic  costs,  and  social  or  political  criteria.  Thus, 
risk  assessment  involves  the  systematic  identification  and  evaluation  of 
undesirable  events  by  means  of  analytical  techniques.    The  results  are  expressed 
in  terms  of  probabilities  and  are  thus  not  absolute,  requiring  interpreta- 
tion before  determining  if  the  risks  are  acceptable.    This  interpretation 
tends  to  be  subjective  unless  there  are  hard  criteria  whicn  are  established  by 
laws,  regulations,  or  industry  concensual  standards.    Usually  specific  criteria 
do  not  exist  in  great  detail,  particularly  in  dealing  with  complex  systems. 
Nevertheless,  the  risks  inherent  in  alternative  courses  of  action  may  be  com- 
pared in  a  relative  sense.    Additionally,  risks  associated  with  a  discrete 
action  may  be  deemed  too  high  to  be  acceptable  according  to  prevailing  standards. 
If  a  risk  appears  to  be  too  high,  the  introduction  of  design  or  other  changes 
to  lower  the  potential  losses  to  a  more  acceptable  level  is  then  subject  to 
re-analysis  using  the  same  techniques.    This  is  called  the  "iteration  process" 
and  characterizes  risk  assessment  methodology.    The  overall  risk  assessment 
process  is  illustrated  in  figure  1. 

The  term  "reliability"  is  often  used  in  risk  analysis  as  a  measure  of  the 
probability  that  a  component  will  perform  a  required  specific  function. 
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COMMON  CAUSE  ANALYSIS  -  The  Common  Cause  Analysis  method  is  used  to  determine 
correlations  between  events.    The  probability  of  a  second  order  failure  will 
be  greater  if  the  two  basic  events  required  for  system  failure  have  a  common 
cause.    Also,  redundancy  systems  cannot  be  depended  upon  if  they  have  a  common 
failure  cause  with  the  primary  system.    Common  mode  failures  can  arise  on  a 
redundancy  system  as  a  result  of  either  poor  design  or  improper  installation. 
A  common  cause  failure  search  is  very  difficult  to  conduct,  generally  requiring 
considerable  experience  and  judgement. 
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Figure  1.    Risk  Assessment  Process 
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Reliability  is  determined  as  one  minus  the  probability  of  occurrence  of  the 
event  leading  to  system  failure.  Thus,  reliability  analysis  techniques  are 
similar  to  those  used  in  risk  analysis. 

Although  all  risk  assessment  methods  are  variations  of  the  classical  approach 
shown  in  figure  1,  there  are  many  variations  which  have  been  developed.  The 
most  common  variations  used  for  hazard  identification  include: 

(1)  Preliminary  or  Gross  Hazard  Analysis 

(2)  Hazard  and  Operability  Studies  (HAZOP) 

(3)  Failure  Mode  and  Effect  Analysis  (FMEA) 

(4)  Event  Trees 

The  common  variations  used  for  risk  analysis  include: 

(1 )  Event  Trees 

(2)  Fault  Trees 

(3)  Reliability  Diagrams 

(4)  Markov  Diagrams 

(5)  Monte  Carlo  Simulations 

(6)  Common  Cause  Analysis 

A  given  risk  assessment  study  may  involve  the  use  of  several  of  these  procedures. 
Note  that  event  trees  are  used  both  for  hazard  identification  and  risk  analysis. 
A  detailed  description  of  these  risk  assessment  methods  is  beyond  the  scope  of 
this  paper.    However,  a  summary  description  of  each  technique  is  given  in 
Appendix  A. 


TYPICAL  RISK  ANALYSIS  RESULTS 

Once  a  risk  analysis  has  been  completed,  it  may  be  summarized  in  graphical  form 
to  assist  in  interpretation  of  the  results.    The  most  comon  graphical  formats 
used  are  shown  in  figure  2a  -    an  example  of  a  risk  profile  of  several  alter- 
natives being  considered.    In  this  type  of  representation,  risk  expressed  as  a 
normalized  frequency  or  probability,  F,  is  plotted  versus  the  corresponding 
number,  N,  of  occurrence  of  losses.    Figure  2b  is  an  example  of  a  cost  versus 
reliability  curve  for  a  given  operating  system.    High  reliability  has  a  high 
initial  investment  but  a  low  maintence  cost  while  a  low  reliability  has  a  low 
initial  investment  but  a  high  maintenance  cost.    Figure  2c  is  similar  to  fig- 
ure 2b,  but  cost  is  plotted  versus  risk  rather  than  reliability.    This  figure 
illustrates  that  the  lowest  economic  cost  may  still  result  in  unacceptable  risk 
to  human  lives  and  design  or  other  modifications  may  be  initiated.    Figure  2d 
is  an  example  showing  cumulative  probability  plotted  versus  present  value  profit. 


STATE  OF  PRACTICE 

DESIGN  -  A  large  number  of  risk  assessment  techniques  have  been  presented  in 
the  literature.    Several  of  these  techniques  have  been  used  in  a  variety  of 
applications  in  the  design  and  operations  of  offshore  oil  and  gas  facilities. 
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Figure  2.    Typical  Risk  Analysis  Results 
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They  are  thought  to  be  most  effective  when  integrated  into  the  design  phase 
of  a  project  having  novel  components,  or  when  directed  towards  evaluating 
alternative  solutions  to  a  problem  which  has  been  identified,  and  which  is 
amenable  to  solution  by  risk  analysis.    Risk  analysis  does  not  yield  the 
solution  to  all  safety  problems.    It  is  a  tool  which  can  be  helpful  in 
identifying  and  solving  some  safety  problems,  but  it  is  by  no  means  an  all 
purpose  tool . 

A  significant  number  of  examples  of  the  application  of  risk  analysis  to 
offshore  oil  and  gas  operations  had  been  carried  out  by  members  of  the  working 
group,  including  such  problems  as  selection  of  alternative  well  completion 
methods,  diverter  failure  analysis,  oil  spill  risk  analysis,  and  risk  analysis 
of  welding  operations.    The  applications  with  which  members  of  the  group  had 
personal  experience  were  most  often  addressed  towards  components  or  subsystems, 
more  limited  in  scope  than  an  entire  facility,  and  were  not  considered  to  be  a 
routine  design  procedure. 

In  the  Norwegian  Sector  of  the  North  Sea,  about  a  dozen  rather  specific  studies 
have  been  completed  to  date,  all  commissioned  by  operating  companies,  but  in 
many  cases  primarily  for  submission  to  the  Norwegian  Petroleum  Directorate  as 
project  safety  evaluations.    Subjects  have  included  major  integrated  drilling, 
production,  and  quarters  platform  with  steel  and  concrete  structures,  small 
riser  platforms,  a  major  water  injection,  drilling,  and  quarters  platform,  and 
advanced  deep  water  concepts. 

In  the  UK  Sector  of  the  North  Sea,  risk  analysis  are  conducted  by  operators 
primarily  to  assist  in  project  development  and  as  a  means  for  internal  evalua- 
tion of  economic  and  safety  factors.    Unlike  Norway,  there  is  no  requirement 
to  demonstrate  that  numerical  targets  of  risk  have  been  met,  but  the  operator 
has  a  legal  responsibility  to  ensure  that  best  engineering  standards  have  been 
achieved.    This  is  subject  to  verification  by  a  certifying  authority.  Risk 
analysis  is  not  required  as  the  basis  of  statutory  consents  as  is  the  case  in 
the  Norwegian  Sector  of  the  North  Sea. 

In  current  routine  design  practice  in  mature  areas  such  as  the  Gulf  of  Mexico, 
standards  which  include  API  14C  are  generally  used.    Maturity  is  defined  here 
in  terms  of  proven  practice.    Even  in  an  area  such  as  the  Gulf  of  Mexico,  a 
"frontier"  may  be  experienced  from  the  standpoint  of  new  application.  An 
example  would  be  operation  in  deep  water.    Consequently,  "frontier"  is  defined 
in  this  paper  in  terms  of  practice  rather  than  geography.    Risk  analysis  is 
considered  to  have  greatest  potential  in  frontier  areas  of  endeavor. 

OPERATIONS  AND  MAINTENANCE  -  An  approach  to  safety  management  in  operations  and 
maintenance  of  offshore  oil  and  gas  facilities  is  illustrated  in  figure  3.  As 
new  systems  are  developed  and  introduced,  risk  analysis  procedures  may  be 
employed  to  assist  in  developing  operating  procedures  in  the  form  of  policy, 
safety  manuals,  procedure  guides,  and  contingency  plans.    However,  the  most 
essential  ingredient  to  the  development  of  safe  operating  procedures  is  past 
experience,  and  sufficient  imagination  to  recognize  the  kinds  of  hazards  present 
in  a  given  project.    In  mature  areas  of  domestic  offshore  operations,  such  as 
the  Gulf  of  Mexico,  an  effective  hazard  identification  process  has  been  performed 
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through  the  collective  thoughts  and  experiences  of  many  experienced  engineers, 
operations  supervisors,  and  managers  working  in  this  environment.  Appropriate 
policy  and  procedures  have  been  incorporated  into  safety  manuals,  procedures 
guides,  an  contingency  plans.    The  safety  procedures  developed  generally  include 
comprehensive  procedures  for  periodically  inspecting,  testing,  and  reporting  on 
all  safety  devices  and  redundant  systems. 

Individual  companies  are  assisted  by  industry  groups  such  as  the  American 
Petroleum  Institute,  the  International  Association  of  Drilling  Contractors, 
and  the  Offshore  Operators  Committee  in  pooling  resources  of  many  companies 
in  the  development  of  appropriate  policy  and  engineering  procedures.    This  is 
further  reinforced  by  government  regulations  enforced  by  the  Minerals  Management 
Service,  the  Occupational  Safety  and  Health  Administration,  and  the  Coast 
Guard.    In  current  practice,  routine  safety  management  is  achieved  through 
enforcement  of  appropriate  policies  and  procedures.    Independent  safety  audits 
are  sometimes  performed  by  company  safety  groups.    Government  agencies  can 
also  assist  in  maintaining  a  safer  work  environment  by  inspection  on  visits  to 
ensure  compliance  with  government  regulations. 

Generally  speaking,  the  greatest  problem  faced  in  controlling  risk  is  not  the 
development  of  the  appropriate  safety  procedures,  but  their  implementation 
through  continuous  training  of  field  personnel  to  keep  them  abreast  of  these 
procedures.    Thus,  considerable  effort  must  be  continuosly  directed  towards 
conducting  appropriate  training  seminars.    These  schools  also  stimulate  discus- 
sion among  employees  about  hazard  recognition  and  occasionally  provide  feedback 
to  the  safety  personnel  concerning  new  problems  and  the  need  for  procedural 
changes. 

Offshore  oil  and  gas  operations  can  be  broken  into  the  two  main  areas  of 
drilling  operations  and  production  operations.    Generally  these  functions  are 
handled  at  the  field  level  by  different  suborganizational  groups  within  a 
company  with  higher  level  commonality  to  ensure  safety  of  the  overall  operation. 
The  division  of  responsibility  and  specilization  permits  engineering  and  opera- 
tions expertise  to  be  more  effectively  focused.    Industrywide  risk  management 
policy  and  published  procedures  as  well  as  government  regulatory  agencies 
reflect  this  typical  organization. 

Although  the  machinery  and  processes  used  in  offshore  drilling  and  production 
operations  are  quite  different,  the  same  general  types  of  hazards  are  present 
and  include: 

(1)  loss  of  containment  through  leaks,  ruptures,  overflows,  etc. 

(2)  explosions 

(3)  fires 

(4)  hazardous  solids,  liquids,  and  gases 

(5)  heavy  machinery 

(6)  high  voltage  electrical  power 

(7)  structural  failure  or  sinking  vessel 
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These  hazards  result  in  risks  of  personal  injury  or  loss  of  life,  loss  of 
equipment  or  entire  facilities,  loss  of  oil  and  gas  production  and  environ- 
mental damage.    Each  person  working  on  a  given  offshore  unit  must  be  given 
broad  training  with  respect  to  all  of  the  hazards  present,  and  intensive 
training  concerning  the  hazards  associated  with  his  particular  area  of 
special ization. 

A  blow-out  is  the  most  catastrophic  undesired  event  which  could  lead  to  the 
most  severe  losses  in  all  of  the  categories  listed  above.    Extensive  engineering 
effort  is  devoted  to  the  area  of  blow-out  prevention  in  drilling  and  production 
operations.    However,  blowouts  continue  to  occur,  and  can  usually  be  traced  to 
a  sequence  of  human  errors.    Some  members  of  the  working  group  felt  that  risk 
analysis  may  be  of  value  in  developing  improved  "man  machine  interfaces"  which 
will  make  human  errors  less  likely.    However,  even  if  substantial  technological 
improvements  are  made  in  existing  blow-out  prevention  equipment,  effective 
training,  experience  and  supervision  are  likely  to  remain  the  key  factors  in  a 
successful  blow-out  prevention  program. 

Safety  management  in  oil  and  gas  operations  generally  involve  the  extensive  use 
of  redundant  systems  and  safety  devices.  Adherence  to  API  guidelines  (API 
RP14C)  requires  two  levels  of  protection  beyond  good  process  design.  Extensive 
computerized  programs  are  generally  required  to  track  the  testing,  maintenance, 
and  reporting  of  the  needed  surface  and  subsurface  safety  devices.  One  company 
alone  reports  over  13,000  safety  devices  located  on  111  platforms  in  the  Gulf 
of  Mexico,  which  require  120,000  tests  to  be  performed  each  year. 

A  complete  description  of  offshore  safety  management  activities  is  beyond  the 
scope  of  this  paper.    However,  in  order  to  provide  an  example  of  current  offshore 
inspection  and  maintenance  practices  on  safety  devices,  a  few  of  the  more 
important  safety  systems  will  be  described.    Example  organizations  and  procedures 
for  testing  and  maintaining  these  safety  devices  will  be  presented. 

SUBSURFACE  SAFETY  VALVES  -  Subsurface  safety  valves  are  designed  to  close  the 
well  below  the  surface  to  prevent  a  blow-out  in  the  event  the  entire  surface 
safety  system  is  lost  due  to  destruction  of  the  production  facility  by  fire, 
ship  collision,  etc.  Thus,  subsurface  safety  valves  are  the  last  line  of  defense 
against  blowouts  in  producing  wells.    The  design  of  certain  types  of  these 
devices  must  be  matched  to  the  producing  characteristics  of  the  well  to  ensure  a 
functional  system.    Occasionally,  these  devices  must  be  removed  to  allow  remedial 
well  work  below  them,  or  because  the  well  characteristics  have  changed  and  they 
need  to  be  replaced.    As  an  example  subsurface  safety  device  movement  authorization 
procedure  is  shown  in  figure  4.    Note  that  a  special  safety  audit  group  is  used 
to  monitor  and  approve  the  removal  of  these  valves.    This  same  group: 

(1)  maintains  a  daily  audit  of  wells  temporarily  without  a  subsurface 
safety  valve. 

(2)  handles  all  communications  with  regulatory  agencies 

(3)  performs  all  safety  valve  design  work  in  accordance 
with  API  recommended  procedures  (API  RP14B). 

(4)  monitors  the  results  of  all  field  tests  run  to  verify  a  proper  design. 

(5)  provides  inspection,  schedules  such  as  the  example  of  table  1. 
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Figure  4.    Subsurface  Safety  Device  Movement 
Authorization  Procedure 
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(6)  provides  safety  device  histories  such  as  the  example  of  table  2. 

(7)  provides  reliability  data  by  maintaining  failure  reports  such  as  the 
example  of  table  3. 

SURFACE  SAFETY  VALVES  -  Surface  safety  valves  are  located  on  all  wells  and  at 
other  strategic  places  to  stop  flow  in  an  emergency.    Various  sensors  are  used 
to  detect  a  hazardous  situation  and  automatically  close  the  appropriate  safety 
valves.    A  schematic  of  a  typical  surface  safety  valve  system  is  shown  in  figure 
5.    API  recommended  procedures  (API  RP14C)  requires  that  a  safety  analysis 
function  chart  (SAFE),  such  as  the  example  shown  in  figure  6,  be  prepared 
showing  the  safety  devices  located  on  each  system  component.    Periodic  tests 
are  performed  on  each  surface  safety  valve  and  on  each  component  designed  to 
activate  each  surface  safety  valve.    As  in  the  case  of  the  subsurface  safety 
valves,  detailed  computer  records  of  test  results  and  required  maintenance  work 
are  maintained. 

The  surface  and  subsurface  safety  valve  for  each  well  must  be  approved  by  the 
Minerals  Management  Service  for  offshore  service.    This  entails  qualifying  the 
valve  under  API  Spec  14A  for  subsurface  safety  valves  and  API  Spec  14D  for 
surface  safety  valves.    The  API  subcommitee  which  develops  these  specifications 
meet  several  times  a  year  and  are  continually  updating  requirements  to  reflect 
new  developments. 

PRESSURE  RELIEF  DEVICES  -  All  pressure  vessels  and  piping  are  protected  by 
pressure  relieving  devices  if  the  possibility  exists  to  exceed  the  maximum 
allowable  working  pressures.    As  with  the  previous  safety  devices  discussed, 
these  devices  are  periodically  tested  to  ensure  operation  at  the  proper  set 
pressures.    Testing  is  generally  done  in  accordance  with  ASTM  Code  UG  126. 

FIRE  PROTECTION  SYSTEM  -  Firefighting  systems  are  installed  on  platforms  in 
accordance  with  API  RP  14G.    Extensive  inspection,  maintenance,  and  testing  of 
this  equipment  are  also  performed.    Reporting  procedures  similar  to  those 
discussed  above  also  applies  to  this  equipment. 

HAZARD  DETECTION  SYSTEM  -  Flame,  heat,  smoke,  and  gas  detectors  for  specific 
hazardous  gases  are  generally  located  in  potentially  high  hazard  areas.  Fire 
detection  systems  are  installed  in  accordance  with  the  National  Fire  Protection 
Association  standard  for  automatic  fire  detectors.    Periodic  testing  of  this 
equipment  is  also  required. 

The  above  systems  are  just  a  few  illustrative  examples  of  the  types  of  systems 
employed.    Many  additional  systems  are  also  present. 

PROBLEM  AREAS 

Formal  risk  analysis  methods  have  been  and  will  continue  to  be  one  of  the  many 
tools  used  for  managing  risks  in  offshore  oil  and  gas  operations.  However, 
applications  of  formal  risk  analysis  methods  in  a  selective  fashion  can  be  of 
greater  value  in  frontier  areas  where  it  is  necessary  to  speculate  on  the  likely 
outcome  of  alternative  approaches  to  field  development.    Qualitative  analysis 
is  necessary  in  the  absence  of  data  to  arrive  at  some  possible  answers  to  the 
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Figure  6.    Typical  Safety  Analysis  Function  Chart 
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Table  3.    Example  Safety  Device  Failure  Report 


^OUTHEA^TEPvNJ  DIVISION!  -  OFFSHORE. 


Field: 


CIRCLE  ONE  CODE 

33 

|  SERVICE  TYPE 

C 

CONTROL  FLUIO 

E 

ELECTRICAL 

£ 

GAS 

H 

HEAT  TRANSFER  FLUID 

0 

OIL/CONDENSATE 

ft 

6LTC0L 

T 

TEMPERATURE/ 

FLAME /HEAT 

« 

WATER 

1 

OTHER 

CIRCLE  ONE  CODE 


FAILURE  MODE 


CIRCLE  ONE  Oft  TWO  CODES  FOR  EACH  CATEGORY 


35-36 


FAILED  PART(S) 


37-38 


FAILEO 
CONDITION(S) 


9^0 


CONTRIBUTING 
CONOITION(S) 


A  -  FAILS  TO  OPEN 

8  •  FAILS  TO  REMAIN  OPEN 

C  -  FAILS  TO  CLOSE 

0  -  FAILS  TO  REMAIN  CLOSED 

E  -  LEAK  INTERNAL 

F  «  LEAK  EXTERNAL 

6  -  OUT  OF  TOLERANCE 

H  -  FAILS  TO  OPERATE 

J  -  PREMATURE  OPERATION 

K  -  FAILS  TO  REMAIN  LOCKEO 

Z  •  OTHER 


CIRCLE  ONE  CODE 


ACTION  TAKEN 


A  -  REPAIRED 
C  •  ADJUSTEO/RESET 
E  -  SERVJCE/CLEAN/LUBE 
H  -  DEVICE  REPLACED 
X  -  DEVICE  ELIMINATED 
Z  -  OTHER   


A  -  8AU/GATE/FLAPPER 
B  -  BEAN 
C  •  BEARING 

0  -  CONTROL  STSTEM 
E  -  CYLINDER 

F  -  DIAPHRAM 

6  -  ELECTRICAL  SYSTEM 

H  •  EQUALIZING  SYSTEM 

1  -  FLOAT 

J  •  FLOW  TUBE/LINER 

K  -  HOUSING 

L  -  LINKAGE 

H  •  LOCK 

N  -  MANDREL 

0  •  ORIFICE  NOZZLE 

P  •  PISTON/POPPET 

0  •  CAGE 

R  •  SEAL  INTERNAL(O-RING) 
S  -  SEAL  EXTERNAL (PACKING) 
T  -  SEAT 
U  -  UNKNOWN 

V  •  SPRING 

V  -  PILOT  OPERATED  VALVE 
X  -  STEM/SHAFT 

T  .  SENSING  ELEMENT 
Z  -  OTHER 


A  -  BENT 
8  -  BROKEN 
C  -  COLLAPSED 

0  -  DAftAGED 
E  •  DENTED 
F  .  PLUGGED 

G  -  PUNCTUREO 
H  -  RELAXED 

1  -  STUCK 
J  •  WARPED 
K  -  WORN 

L  -  CUT 
M  -  SAND  CUT 
N  -  FROZEN 
0  •  LOOSE 
P  •  BURNED 

R  •  IUILB-UP 


UNKNOWN 


Z  -  OTHER 


.  FOREIGN  MATERIAL 

•  HANOLING 
.  SEALANT 

•  LUBRICANT 
.  WATER 

•  HYDRATES 
.  SAND 

-  SCALE 

-  PARAFFIN 

•  OVERPRESSURE 
.  OVERTEMPERATURE 
.  IMPROPER  ASSEMBLY 

-  IMPROPER  INSTALLATION 

-  IMPROPER  MAINTENANCE 

•  FAILED  TO  EQUALIZE 

-  CORROSION  INTERNAL 

•  CORROSION  EXTERNAL 
.  DRIFT 

-  VIBRATION 
.  UNKNOWN 

•  SWOLLEN- 

.  CARBON  DIOXIDE 

•  HYDROGEN  SULFIDE 
Z  -  OTHER 


R 6" PO«.T  F»fMP>»«SP  9r: 
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classic  risk  question  of  "what  if  ?"    Quantitative  risk  analysis  for  offshore 
oil  and  gas  operations  is  hampered  by  difficulties  in: 

(1)  obtaining  accurate  failure  mode  and  failure  rate  data  for  the  many 
components  of  a  given  system; 

(2)  obtaining  accurate  probability  distributions  for  losses  resulting  from 
a  system  failure  in  the  absence  of  historic  data; 

(3)  obtaining  operational  history  related  to  component  failure  and  prior 
maintenace  work; 

(4)  assessing  the  influence  of  human  errors. 

When  failure  mode  and  failure  rate  data  are  available,  they  may  not  apply 
accurately  to  local  conditions  or  to  the  application  under  review.    For  example, 
a  recent  paper  by  Engen  and  Rausand  published  reliability  data  for  surface 
controlled,  subsurface  safety  valves  in  the  North  Sea.    Failure  rate  data  are 
presented  for  four  different  valve  types.    However,  the  authors  caution  that  a 
meaningful  comparison  of  the  failure  rate  data  of  the  different  valves  cannot 
be  made  because  operating  conditions  vary  greatly  among  the  various  fields  and 
operators.    The  presence  of  corrosive  fluids,  hydrogen  sulfide,  sand,  flow  rate 
variations,  etc.  was  not  accounted  for  in  the  study  and  would  greatly  alter 
valve  performance.    It  was  also  pointed  out  that  many  failed  valves  showed 
evidence  of  human  error,  such  as  operating  the  valve  under  a  high  differential 
pressure.    These  difficulties  would  prevent  a  meaningful  comparison  of  failure 
rates  of  individual  valve  types.    However,  it  would  not  prevent  an  order  of 
magnitude  risk  analysis  from  being  made. 

An  effort  must  be  made  to  keep  failure  mode  and  failure  rate  data  current  with 
new  developments.    Manufacturers  are  continually  modifying  their  products  in 
attempts  to  improve  reliability  or  reduce  costs.    Also,  equipment  is  being 
placed  in  increasingly  hostile  environments. 

The  causes  of  most  accidents  or  failures  can  be  attributed  to  human  error  at 
one  or  more  stages  in  the  concept,  design,  fabrication,  and  operation  of  the 
system  of  interest.    The  accurate  modeling  of  human  error  factors  in  formal 
risk  analysis  becomes  increasingly  difficult  as  the  complexity  of  the  system 
increases  and  as  the  amount  of  human  interaction  required  for  system  operation 
increases.    This  problem  makes  risk  analysis  most  easily  applied  to  less  com- 
plex subsystems  which  have  a  high  degree  of  automation. 

OPPORTUNITIES  FOR  APPLICATION 

Risk  analysis  procedures  can  be  applied  to  each  phase  in  the  operations  and 
maintenance  of  offshore  oil  and  gas  facilities.    In  current  practice,  the 
techniques  are  most  useful  when  moving  into  a  new  operating  environment  or  when 
applying  new  unproven  technology.    In  these  situations,  it  provides  a  systema- 
tic framework  to  evaluate  alternative  operating  procedures  and  contingency 
plans.    Used  in  this  context,  it  is  a  valuable  tool  for  developing  appropriate 
policy  and  safety  procedures. 

Gierstad  and  Norge  have  presented  a  summary  of  offshore  reliability  data 
obtained  from  a  joint  project  by  seven  companies  operating  in  the  Norwegian 
sector  of  the  North  Sea.    This  OREDA  study  will  produce  a  handbook  of  generic 
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reliability  data  which  should  aid  in  the  application  of  risk  analysis  by 
supplementing  the  data  base  of  individual  companies. 

Many  engineers  involved  in  offshore  oil  and  gas  operations  are  not  familar  with 
the  various  risk  analysis  techniques  available.    Additional  training  opportuni- 
ties in  this  area  could  make  these  tools  available  to  a  much  larger  group.  The 
engineers  involved  routinely  in  solving  problems  in  the  operations  and  maintenance 
of  offshore  oil  and  gas  facilities  are  in  the  best  position  to  see  areas  where 
these  tools  can  be  effectively  applied. 

A  question  not  fully  answered  by  the  working  group  is  whether  the  furtherance 
of  formal  risk  analysis  methods  is  the  most  effective  means  of  improving  offshore 
safety  and  loss  control.    As  previously  indicated,  the  majority  of  accidents 
(85-95?,)  are  caused  by  human  failure,  rather  than  equipment  or  hardware  failure. 
Correction  of  this  situation  requires  effective  line  management  of  people.  In 
other  words,  line  management  must  be  trained  in  good  leadership  techniques. 
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APPENDIX  A 


PRELIMINARY  OR  GROSS  HAZARD  ANALYSIS  -  A  Preliminary  Hazard  Analysis  is  usually 
the  first  step  in  a  risk  assessment  procedure.    Using  this  method,  established 
checklists  and  forms  are  used  to  list  all  of  hazardous  materials,  situations, 
events,  potential  accidents,  human  errors,  etc.,  that  can  be  identified.  Pre- 
vious experience  of  similar  installations  is  systematically  incorporated  into 
the  special  forms  or  check  lists  used.    The  last  step  of  the  procedure  is  to 
define  rules,  policy,  and  procedures  that  will  control  the  hazards  identified. 
A  distinction  is  sometimes  made  between  a  Gross  Hazard  Analysis  and  a  Prelimi- 
nary Hazard  Analysis  based  on  the  arrangement  of  the  items  considered  on  the 
forms.    The  preliminary  analysis  is  inductive  (starting  with  possible  causes 
and  proceeding  to  the  possible  losses)  while  the  gross  analysis  is  deduc- 
tive (starting  with  the  possible  losses  and  proceeding  to  the  causes).  Safety 
manuals  can  generally  be  regarded  as  the  product  of  a  hazard  analysis. 

HAZARD  AND  OPERABILITY  STUDIES  (HAZOP)  -  Hazard  and  Operability  Studies  are 
used  to  identify  potential  types  of  accidents  that  can  be  traced  through  a 
series  of  events.    Possible  deviations  of  each  physical  parameter  are  considered 
to  determine  combinations  that  are  potentially  hazardous.    Often,  the  HAZOP 
approach  will  be  undertaken  by  an  independent  safety  review  or  audit  group 
which  has  had  no  involvement  in  the  project  development.    In  other  cases,  the 
HAZOP  team  will  include  the  key  personnel  from  the  project  group. 

FAILURE  MODE  AND  EFFECT  ANALYSIS  -  The  Failure  Mode  and  Effect  Analysis  (FMEA) 
procedure  can  be  used  to  identify  how  the  system  under  consideration  works  and 
fails.    A  related  procedure,  called  the  Failure  Modes,  Effects,  and  Critical ity 
Analysis  (FMECA)  is  used  to  identify  the  weakest  links  in  the  design.  These 
methods  are  inductive  in  that  they  start  with  all  of  the  possible  failure 
modes  of  each  component  in  the  system  and  proceed  to  determine  the  effects  or 
consequences  of  these  failure  modes.    As  with  the  other  hazard  identification 
methods,  the  last  step  involves  identifying  corrective  action  for  control  of 
the  hazards  identified.    This  method  can  be  extremely  time  consuming  and  appli- 
cations are  relatively  limited  for  complex  systems  with  substantial  redundancy. 

The  FMEA  and  FMECA  techniques  are  particularly  useful  in  analyzing  hardware 
failures  but  rapidly  lose  credibility  in  analyzing  the  human  failure  factor 
which  can  become  much  more  difficult  to  forecast  or  predict. 

EVENT  TREES  -  Event  Trees  are  used  to  study  identified  hazards  in  more  detail. 
The  starting  point  of  an  Event  Tree  is  the  initiating  event  or  failure  which 
can  be  treed  through  the  system.    Each  operation  or  system  leads  to  two  paths 
of  known  probability  (success  or  failure).    The  failure  path  at  each  branch 
proceeds  to  the  next  back-up  device  and  composite  probabilities  are  calculated. 
Failure  paths  are  then  studied  in  more  detail  using  a  Fault  Tree. 

FAULT  TREES  -  Fault  Trees  are  similar  to  Event  Trees  except  that  they  are 
deductive  rather  than  inductive.    Thus,  the  undesirable  event  is  the  standard 
point  of  a  Fault  Tree.    The  cause  of  the  event  is  identified  and  this  is  con- 
sidered an  event  for  subsequent  cause  evaluation.    When  an  intermediate  event 
is  caused  by  several  simultaneous  events,  they  are  linked  by  an  "and"  gate 
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symbol.    When  an  event  has  several  possible  independent  causes,  they  are  linked 
by  an  "or"  gate  symbol.    This  process  is  repeated  until  all  of  the  possible 
root  causes  are  determined.    By  using  Boolean  algebra,  it  is  possible  to  find 
all  combinations  of  basic  events  which  will  lead  to  the  top  event.  Single 
basic  events  which  will  lead  to  the  top  event  are  called  first  order  failures. 
When  two  basic  events  are  required  they  are  called  second  order  failures,  etc. 
When  failure  probability  data  are  available  on  each  component,  composite  proba- 
bilities can  be  calculated. 

RELIABILITY  DIAGRAMS  -  Reliability  Diagrams  are  used  to  graphically  represent 
all  possible  combinations  which  can  cause  a  given  failure  mode.    Thus,  they 
are  somewhat  similar  to  Fault  Trees,  but  are  usually  used  in  a  qualitative 
manner.    Generally  each  component  is  considered  to  have  two  states  (good  or 
failed)  and  each  component  is  represented  graphically  as  a  switch  (open  for 
failed).    In  order  to  find  the  combination  of  events  leading  to  system  failure, 
the  diagram  is  studied  to  determine  the  combination  of  open  switches  which 
will  result  in  an  open  composite  circuit.    When  a  combination  of  open  switches 
that  will  cause  system  failure  are  identified,  they  are  called  a  "cut-set". 
When  all  of  the  open  switches  are  necessary  to  cause  failure,  the  cut-set  is 
said  to  be  "minimal".    Similarly,  a  combination  of  closed  switches  which  will 
prevent  system  failure  are  called  a  "tie-set"  and  the  minimum  number  of  closed 
switches  to  prevent  failure  is  called  the  "minimal  tie-set". 

MARKOV  DIAGRAMS  -  Markov  Analysis  is  a  procedure  that  can  be  employed  when  it 
is  necessary  to  define  component  failure  as  a  function  of  time.    It  allows  for 
change  of  state  of  each  component  with  time  and  requires  a  knowledge  of  both 
failure  rate  and  repair  rate.    It  is  extremely  complex,  is  practical  only  on  a 
high  speed  computer,  and  in  general  is  only  applied  for  limited  systems  with  a 
high  maintenance  requirement  in  order  to  prioritize  maintenance  work. 

MONTE  CARLO  SIMULATIONS  -  The  Monte  Carlo  simulation  method  is  a  general 
technique  that  can  be  applied  to  determine  the  probability  of  different  modes 
of  failure  of  complex  system.    Frequency  diagrams  for  the  various  possible 
states  of  each  component  are  defined.    Also,  the  range  of  possible  physical 
values  of  each  parameter  in  the  system  (such  as  pressures,  flow  rates,  etc.) 
can  also  be  defined  in  terms  of  a  probability  or  frequency  distribution.  The 
probable  state  of  each  component  and  physical  parameter  is  then  simulated 
through  the  use  of  random  number  generators  or  tables.    By  running  a  large 
number  of  simulations  on  a  computer  (perhaps  as  many  as  100,000),  a  sample  of 
possible  events  are  obtained  that  can  be  used  statistically  to  determine  the 
composite  events  which  are  most  likely  to  occur  and  their  corresponding 
probabi 1 i ty. 
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LOGISTICS  AND  SUPPORT 


REPORT  OF  WORKING  GROUP  IV 


PREFACE 

Discussions  in  the  working  group  concluded  that  the  risks  to  be  considered 
include  both  major  accidents  with  serious  loss  or  damage  involving  men  and/or 
materials;  and  operabi 1 i ty/downtime  type  considerations,  where  the  losses  may 
be  primarily  economic,  involving  loss  of  time  and  cash  flow.    The  types  of  risk 
analysis  perspectives  that  may  be  applied  range  from  the  limited  scope  involved 
in  project  or  task  decisions  and  management,  to  quite  global  risk  management 
perspectives  where  the  logistics  and  support  fleet  might  be  viewed  as  one 
subsystem  in  the  management  of  risks  associated  with  an  entire  field. 

In  general  it  was  felt  that  simply  developing  estimated  measures  of  risk  is 
inadequate  and  meaningless.    The  estimated  risks  must  be  subjected  to  a  judge- 
ment process  wherein  they  are  determined  to  be  unacceptable/acceptable;  better- 
than/worse-than  some  alternative.    Flowing  out  of  this  process  either  explicitly 
or  implicitly  is  a  decision/action  process.    The  generalized  rational  approach 
appropriate  to  this  process  would  be  to  impose  a  statistical  decision  procedure 
over  the  risk  analysis. 

Another  broad  observation  which  particularly  applies  to  the  domain  of  logistics 
and  support  is  the  lack  of  an  overall  unifying  domain  of  responsibility.  This 
is  a  basic  reflection  of  the  usual  commercial  arrangements  in  this  sector  of 
operation  but  it  poses  a  considerable  obstacle  to  the  application  of  risk 
analysis  techniques  to  many  projects. 

A  last  general  observation,  which  applies  broadly  to  all  engineering  activities, 
not  just  risk  analysis,  is  the  need  to  retain  that  information  bearing  on  the 
confidence  limits  of  our  estimates.    Judgements  concerning  the  meaning  and 
significance  (or  lack  of  meaning  or  significance)  are  primarily  lodged  in  these 
measures  of  the  dispersion  of  certainty  rather  than  in  the  expected  values. 

LOGISTICS  AND  SUPPORT 

Logistics  and  support  activities  comprise  virtually  all  of  the  infrastructure 
of  a  working  offshore  oil  and  gas  field  exclusive  of  the  platforms  and  working 
platform  superstructures.    Even  the  platforms  and  their  superstructures  were 
transported  to  their  working  site  in  a  logistic  operation.    Included  in  support 
activities  are  services  such  as  firef ighting,  spill  containment  and  cleanup, 
towage,  salvage  and  search  and  rescue.    Thus  when  considering  the  application 
of  risk  analysis  methods,  logistics  and  support  activities  are  among  the  most 
pervasive  aspects  of  offshore  oil  and  gas  production. 

Foremost  among  the  logistic  activities  is  the  transportation  of  the  product  of 
the  oil/or  gas  field.    This  activity  encompasses  marine  pipelines,  offshore 
terminal  and  tanker  loading  facilities,  tankers  and  tank  barges,  and  storage 
faci 1 ities. 
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The  movement  of  personnel,  equipment  and  supplies  incorporates  consideration 
of  supply  vessels,  tugs,  barges,  floating  cranes,  crew  boats  and  helicopters. 
Many  of  these  vessels  perform  important  support  roles  in  response  to  platform 
accidents  and  emergencies  so  any  risk  analysis  performed  at  a  sufficiently 
global  systems  level  must  consider  the  availability,  deployabil ity  and  response 
times  associated  with  many  of  these  logistic  and  support  entities. 

EXAMPLE  APPLICATIONS 

A  number  of  example  applications  of  risk  analysis  to  logistics  and  support 
activities  were  shared  and  discussed  during  the  sessions  or  Working  Group  IV. 
Most  occasions  to  apply  these  methods  seem  to  have  originated  either  as  an  aid 
to  internal  decision  processes  or  at  the  request  of  marine  surveyors  on  behalf 
of  the  insurance  industry.    A  brief  listing  of  some  of  the  example  applications 
follows  together  with  annotation  concerning  methods  used,  and  commentary. 

Work  Barge  Operability  Studies 

Method  used:      Theory  of  Second  Order  Stationary  Random  Processes 
(Probability  and  Frequency  Domains) 
References:  1,2,3,4,5,6 

A  number  of  studies  of  this  type  were  discussed.    Applications  were  typically 
to  crane  barges,  dredges  and  pipe  laying  barges.    The  studies  were  used  variously 
to  select  optimal  principal  dimensions  for  new  equipment,  select  the  best 
available  existing  equipment,  determine  number  of  work  units  required  and 
estimate  project  schedule  and  cost. 

Arctic  Ice  Window  -  Wet  Tow  vs.  Dry  Tow 

Method  Used:     Monte  Carlo  Simulation  (Probability  and  Time  Domains) 

A  Monte  Carlo  simulation  study  was  performed  to  examine  voyage  duration,  required 
departure  date  and  risk  of  shut-out  for  the  delivery  voyage  of  an  Arctic  Island. 
Alternatives  compared  were  wet  tow  and  dry  tow  deliveries.    Processes  subject 
to  variability  for  both  delivery  alternatives  were  wind,  current,  and  Arctic 
ice  window  opening.    Additionally  the  wet  tow  was  subject  to  uncertainty  in 
Stillwater  towing  resistance. 

Logistic  and  Supply  Relative  to  Hutton  TLP 

Methods  Used:     Markov  Network  Analysis  (Probability  and  Time  Domains) 

As  a  weight  sensitive  design  the  storage  requirements  for  drilling  supplies  are 
very  critical.    Richard  Van  Hooff  indicated  that  a  Markov  network  analysis  of 
the  logistics  and  supply  capabilities  that  could  be  provided  assisted  in 
determining  the  acceptability  of  reduced  drilling  supplies  storage  capability. 

Voyage  Risk  Analyses  for  Sea  Fastenings,  Production  Jackets,  Jack-Up  Legs  and 
Modules 

Methods  Used:      Theory  of  Second-Order  Stationary  Random  Processes 

(Probability  Domain  and  Either  Frequency  or  Time  (Domain) 
References:  1,7,8 
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Numerous  examples  exist  where  either  frequency  or  time  domain  risk  studies  have 
been  applied  to  voyages,  usually  by  barge  but  also  in  the  case  of  rigs,  wet 
towed  on  their  own  hulls.    Time-domain  methods  have  been  used  where  significant 
nonlinear  response  mechanisms  are  at  work,  otherwise  frequency  domain  analysis 
is  usually  employed.    The  critical  processes  about  which  these  studies  are 
usually  concerned  are  usually  wave-induced  dynamic  structural  loads  involving 
sea-fastenings,  fatigue  sensitive  joints  on  jackets,  jack-up  rig  legs  guides, 
and  internal  outfit  on  production  modules.    Such  studies  involve  consideration 
of  spatially  and  temporally  varying  wave  climatologies. 

Tanker  Loading  at  Offshore  Terminals 

Methods  Used:     Theory  of  Second-Order  Stationary  Random  Processes 

Examples  were  presented  where  reliability  and  risk  analyses  were  used  in 
evaluating  the  dynamic  and  operating  characteristics  of  proposed  offshore 
terminal  designs.    Primary  factors  studied  were  weather  limits  on  hook-up  and 
product  transfer,  and  avoidance  of  such  casualties  as  failure  of  loading  hoses 
or  mooring  hawsers. 

Real-Time  Offshore  Crane  Operations 

Methods  Used:      Theory  of  Second-Order  Stationary  Random  Processes  and 

Markov  Processes  (Probability,  Frequency  and  Time  Domains) 
References:  9 

Real-time  feedback  and  operations  optimization  systems  have  been  employed  to 
improve  the  operations  of  offshore  cranes  operating  under  exposed  weather 
conditions,  especially  when  employed  in  heavy  lifts  of  high  value.    Such  systems 
employ  precomputed  motion  operators,  real  time  sea  state  and  motion  monitoring, 
simulator  and  optimization  elements.    Field  experience  with  these  systems  has 
been  quite  positive. 

Mooring  System  Design  Studies 

Methods  Used:     Theory  of  Second-Order  Stationary  Random  Processes 

(Probability  Domain  and  Frequency  and/or  Time  Domains) 

Mooring  arrangements  for  work  barges  and  other  support  vessels  working  in  close 
proximity  to  each  other  and/or  to  fixed    platforms  have  been  studied  to  determine 
required  geometry,  elasticity  and  strength. 

Oil  Spill  Simulation 

Methods  Used:     Time  Domain  Simulation  and  Monte  Carlo  Statistical  Methods 
(Probability  and  Time  Domains) 

Studies  have  been  conducted  to  estimate  probable  trajectories  for  oil  spills 
under  various  conditions  of  wind,  current,  and  oil  flow  rates  (as  for  instance 
in  the  case  of  blowouts).    Such  studies  have  been  used  as  an  aid  in  assessing 
the  threat  to  beaches  and  other  marine  resources  posed  by  potential  oil  pollution 
sources. 
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APPROPRIATE  TECHNIQUES 


Many  of  the  techniques  appropriate  to  risk  analysis,  as  applied  to  logistics 
and  support  activities,  have  been  briefly  cited  above  with  the  example  applica- 
tions.   A  more  complete  compilation  of  appropriate  methods  follows. 

Theory  of  Second-Order  Stationary  Random  Processes  - 

Of  all  the  techniques  to  be  discussed,  the  theory  of  second-order  stationary 
random  processes  has  been  most  widely  applied  to  problems  concerning  logistics 
and  support  activities.    The  prevalence  of  this  technique  derives  from  suitability 
of  the  theory  for  studying  linear  systems  (e.g.,  work  barges  and  support  vessels) 
subject  to  excitation  derived  from  a  random  field  (i.e.,  wave  field).  When 
combined  via  the  probability  calculus  with  wave  climatologies,  the  method  yields 
quantitative  measures  of  risk  and  operability  in  the  selected  environment. 
References:  1,2,8 

Markov  Process  Analysis  - 

Many  logistic  and  support  activities  can,  from  an  appropriate  perspective,  be 
regarded  as  Markov  processes.    (A  popular  example  of  a  Markov  process  is  the 
"random  walk".)    Wind  and  wave  climatologies,  ice  movements,  the  occurrence  and 
duration  of  "operational  windows"  are  all  examples  which  may  be  fruitfully 
subjected  to  Markov  analysis. 

Queuing  Theory  - 

Queuing  models  are  closely  associated  with  Markov  processes.    Such  models  may 
be  applied  to  logistics  and  supply  problems  such  as  the  transportation  of 
supplies  to  an  offshore  platform,  or  the  adequacy  of  an  offshore  oil  transfer 
terminal.    For  instance,  such  questions  as  average  tanker  waiting  time  before 
loading  and  average  terminal  idle  time  of  an  offshore  oil  loading  terminal 
would  be  appropriate  queuing  theory  issues. 

Time  Domain  Simulations  - 

Many  processes  are  most  easily  addressed  by  direct  time  domain  simulation.  In 
the  realm  of  dynamics  the  usual  reason  for  resorting  to  time  domain  simulation 
is  the  desire  to  incorporate  nonlinear  system  elements,  (e.g.,  nonlinear  mooring 
forces).    Other  motivations  for  time  domain  simulation  include  the  ability  to 
introduce  human  operator  input  (real  time  simulation,  such  as  some  maneuvering 
studies)  and  systems  whose  complexity  is  most  easily  addressed  in  the  time 
domain,  e.g.,  very  complex  networks.    Time  domain  methods  are  at  their  most 
powerful  when  coupled  with  Monte  Carlo  statistical  methods  (following  discussion). 
Typical  problems  addressed  by  time  domain  simulation  are  nonlinear  dynamics, 
maneuvering,  nonlinear  wave  hydrodynamics,  oil  spill  trajectories  and  logistic 
network  performance. 
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Monte  Carlo  Statistical  Methods  - 


Monte  Carlo  statistical  methods  form  a  powerful  adjunct  to  other  simulation 
techniques  where  the  simulation  incorporates  random  variables.    The  Monte  Carlo 
method  simply  involves  repeated  trial  runs  of  the  simulator  culminating  in  the 
assemblage  of  response  statistics,  much  as  one  might  collect  repeated  data  from 
a  physical  experiment.    The  insight  provided  into  nonlinear  process  statistics 
is  similar  to  that  provided  for  linear  systems  through  frequency  domain  analysis. 

Three  other  techniques  were  discussed  by  the  working  group.    These  were  HAZOP 
studies,  exercise,  and  model  testing.    Model  testing  is  a  powerful  method,  to  be 
considered  especially  where  nonlinear  phenomena  are  suspected  of  being  important. 
Excercises  are  conducted  both  at  full-scale  and  in  simulations.  Full-scale 
exercises,  particularly  of  emergency  response  systems,  are  valuable  both  as  a 
management  and  training  tool,  and  as  a  source  of  data  for  data  analytical  risk 
analysis  procedures.    Lastly,  the  HAZOP  methods  of  analysis  were  suggested  as 
an  appropriate  means  of  identifying  problems  required  further  study. 

DATA  NEEDS 

Data  needs,  and  research  and  development  needs  (to  be  discussed  in  the  following 
section)  are  quite  closely  related.    Three  main  themes  dominate  the  data  needs 
for  risk  analysis  as  applied  to  logistic  and  support  activities;  these  are: 
1)  Joint  probabilities,  2)  Statistical  dispersion  (variability)  information, 
i.e.,  retention  of  more  than  just  mean  trends,  and  3)  Better  definition  of 
system  "capabilities"  by  which  it  is  meant  the  distributions  representing 
criteria  for  critical  system  events.    The  data  needs  identified  by  the  working 
group  are  summarized  in  the  following  list: 

Wave  Data  - 

Joint  climatological  statistics  for  period*,  height  (significant),  principal 

heading  angle  and  key  parameter(s)  for  directional  spreading. 

Directionality:  better  data  on  directional  spreading  functions. 

Independence  parameters:    independence  period  and  distance,  for  wave  climatology 

processes. 

Persistance:    better  and  more  complete  data  on  sea  state  persistance. 

Better  wave  data  for  newly  emerging  areas  of  operations,  and  particularly  for 

logistics  and  support,  better  wave  data  along  supply  routes  leading  to  operations 

area. 


Concerning  the  wave  period,  it  is  particularly  important  that  work  establishing 
climatological  data  base  be  very  clear  and  precise  in  their  definition  of  the 
period  statistic  presented. 
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Ice  - 


Ice  floes  and  cover,  spatial  and  temporal  distribution  statistics. 
Ice  keels,  frequency  of  occurrence  and  draft  for  operating  areas. 
Ice  windows,  persi stance  data. 

Ice  accretion  rates  on  equipment  and  superstructure  under  various  environmental 
conditions. 

Visibility  - 

Joint  probability  with  respect  to  other  key  environmental  conditions. 
Environmental  disturbances  to  communications  and  navigation. 
Seamanship  - 

Markov  transition  matrices  for  heading  and  speed  vs.  directional  sea  state,  wind 
ice,  visibility,  slamming,  acceleration,  etc. 

Capability  - 

What  causes  shut-down  of  crane  operations? 

What  causes  cessation  of  supply  delivery? 

Under  what  conditions  can  personnel  be  transferred? 

What  causes  speed  or  heading  changes?    (see  Seamanship  above) 

Spills  - 

Cleanup  capabilities  vs.  broken  ice  cover. 

Dispersion  rates  and  trajectories  for  new  areas  such  as  the  Arctic. 
RESEARCH  AND  DEVELOPMENT  NEEDS 

Research  and  development  needs  fall  under  three  main  headings,  those  being: 

1)  human  factors,  2)  nonlinear  problems  and  3)  statistical  decision  procedures. 

Problems  and  topics  in  each  of  these  areas  are  listed  below. 

Human  Factors  - 

Seamanship:    To  what  factors  and  processes  does  a  skilled  seaman  respond,  and 
what  are  those  responses?    What  is  the  typical  variation  in  seamanship  responses? 

Capabilities:    what  factors  and  processes  result  in  the  shutting  down  of  crane 
operations?    ...  supply  transfer  operations?    ...  dredging  operations? 
personnel  transfer?    ...  etc. 

Real  time  feedback  effects  -  impacts  of  forecasting  and  monitoring  (note  that 
those  effects  need  not  occur  through  a  human  interface  process).    Prospects  for 
further  implementation  of  feedback  and  monitoring.    References:  9,10 
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Nonlinear  Problems  - 

Numerous  nonlinear  problems  exist  and  only  a  few  examples  are  presented  here. 
However,  the  development  of  widely  accepted  higher  order  models  for  the  irregular 
wave  field  and  corresponding  theories  of  response  will  greatly  enhance  our 
practical  mastery  of  nonlinear  hydrodynamic  interactions. 

Stability  and  capsize  in  a  seaway: 
Subharmonic  resonance 
Water  on  deck 

Roll  damping: 

Interaction  between  shed  bilge  eddies  and  incident  wave  field 

Drift  forces: 

Shallow  water  cases 

Steep  irregular  wave  fields: 

Hydrodynamic  and  statistical  modeling 

Higher  order  response  theories: 

The  natural  corollary  to  higher  order  models  of  the  wave  field 

Statistical  Decision  Procedures  - 

Development  work  is  needed  to  introduce  appropriate  statistical  decision 
procedures  into  both  operations  planning  and  real-time  operations  decision 
generation.    Such  work  is  particulary  necessary  as  an  adjunct  to  further 
implementation  of  real  time  monitoring  and  feedback  systems. 

OPPORTUNITIES  FOR  IMPLEMENTATION 

In  addition  to  the  applications  of  risk  analysis  and  management  techniques  to 
those  problems  for  which  it  is  currently  applied  (and  the  growth  in  such 
applications)  three  thoughts  were  discussed  which  may  point  to  future  opportuni- 
ties for  implementation.    These  three  ideas  were: 

1)  Consider  logistics  and  support  at  the  field  and  platform  development/ 
design  stage  -  not  as  an  afterthought.    In  particular: 

a)  Consider  logistic  issues  as  they  apply  to  platform  and  production 
system  module  delivery  to  the  field. 

b)  Utilize  systems  approach  to  define  available/required  support  and 
interaction  of  such  support  with  design. 

2)  Consider  logistic  and  support  capabilities  as  a  subsystem  in  more  global 
risk  analyses. 

a)  Logistic  and  support  capabilities  during  emergency  response  and 
assistance. 

b)  Logistic  and  support  craft  and  facilities  as  a  source  of  hazard 
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and    3)  Consider  logistic  and  support  as  an  integral  part  of  overall  project 
optimization. 

BARRIERS  TO  IMPLEMENTATION 

Most  of  the  barriers  to  implementation  are  institutional  in  character  and  as 
such  probably  reflect  the  relative  unfamil iarity  of  a  wider  user  public  (includin 
many  engineers)  with  the  probabilistic  perspective.    Specific  citations  of  this 
type  would  include  marine  surveyors  with  static  rules  and  codes  of  the 
specification  type. 

Other  barriers  to  implementation  include  the  usual  lament  concerning  proprietary 
data,  and  the  frequent  lack  of  a  unifying  framework  of  responsibility  concerning 
logistic  and  support  activities. 

Two  other  barriers  deserve  mention.    The  first  is  time  during  emergency  or 
salvage  situations.    Only  pre-planning,  pre-analysis  and  experience  can  be 
brought  to  bear  in  an  emergency  situation,  there  is  usually  no  time  for 
sophisticated  real  time  analysis.    The  second  and  not  unrelated  problem  is  that 
much  of  the  information  provided  to  user/operators  is  unusable,  having  been 
generated  to  satisfy  the  engineers  and  regulatory  requirements;  not  as  real 
aides  to  an  operator  in  an  emergency. 
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Written  comments  (dated  June  8,  1984)  on  the  Working  Group  IV  (Logistics  and 
Support)  position  paper,  by  Mr.  Robert  C.  Phillips. 

"There  are  a  number  of  consultants  and  research  groups  working  on  formal  risk 
analysis  methods  who  are  advocating  a  much  wider  application  of  formal  risk 
analysis  to  offshore  oil  and  gas  operations,  believing  that  it  will  be  possible 
to  make  better  and  safer  decisions,  and  thereby  save  money.    There  is  consider- 
able skepticism  from  industry  and  others.    The  risk  analysis  advocates  utilize 
many  of  the  precepts  and  ideas  propounded  in  the  late  60' s  and  70' s  by  opera- 
tions research  analysts.    However,  many  of  these  methods  have  been  considerably 
refined  since  that  time.    These  risk  analysis  methods  attempt  to  quantify  risk 
and  the  assessment  of  risk  mathematically.    However,  the  assessments  are  often 
very  rough  due  to  the  lack  of  detailed  statistical  data  on  one  or  more  of  the 
important  factors.    That  is,  the  answer  may  be  correct  within  one  or  two  orders 
of  magnitude.    While  this  type  of  analysis  is  useful  for  certain  purposes  it 
may  not  meet  the  needs  of  an  operating  manager  or  design  engineer.    Further,  it 
may  not  be  practical  to  obtain  the  detailed  statistical  data  that  formal  risk 
analysis  requires  to  give  better  answers.    First  the  necessary  data  has  not 
always  been  precisely  defined  by  the  risk  analysis  proponents  and  secondly,  the 
acquisition  of  such  data  may  be  far  too  expensive,  particularly  where  it 
involves  the  statistics  of  human  behavior. 

Another  problem  in  the  practical  application  of  risk  analysis  is  that  the 
methods  usually  develop  probabilistic  assessments.    However,  risk  is  not  only 
highly  subjective  among  individuals,  it  also  is  subjective  to  considerable  change 
in  the  same  individual,  particularly  one  who  is  not  trained  in  such  assessments, 
may  apply  very  different  risk  criteria  in  assessing  personal  risk  and  business 
risk. 

Several  positive  results  occurred  as  a  result  of  the  workshop: 

-  It  promoted  much  needed  communication  between  the  practitioners  of  formal 
risk  analysis  and  the  potential  users  of  this  discipline. 

It  emphasized  that  many  people  are  using  the  terms  risk  analysis  and  risk 
assessment  without  clear  ideas  as  to  the  specific  meaning  of  the  terms. 

-  It  emphasized  that  formal  risk  analysis  techniques  work  better  when 
considering  financial  or  property  type  risks  (easily  quantifiable  subjects), 
than  when  considering  human  factors  and  risk  to  humans  (not  easily  quantifi- 
able). 

The  Group  IV  position  paper  recognizes  some  of  these  points,  particularly  noting 
the  "relative  unfamilarity  of  a  wider  user  public  (including  many  engineers) 
with  the  probabilistic  perspective."    Actually,  the  problem  may  be  broader  than 
noted  in  the  position  paper.    The  evaluation  of  risk  requires  not  only  a 
knowledge  of  probability  and  the  probability  perspective  but  an  understanding 
of  risk  criteria.    Actually,  the  user  must  have  considerable  knowledge  of  formal 
risk  analysis  methods  if  he  is  to  have  confidence  in  the  results  of  such 
sophisticated  analyses.    He  may  not  be  as  skilled  in  applying  the  techniques 
and  in  developing  the  assessment,  but  he  must  have  a  reasonable  good  understanding 
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of  what  he  is  receiving  from  the  formal  risk  analysis,  in  order  to  depend  on  it. 
The  operations  research  analyst  working  with  the  government  (particularly  in 
the  military)  had  continuing  problems  in  establishing  credibility  with  the 
operating  managers  due  to  the  lack  of  understanding  between  the  two  groups. 

Another  problem  with  the  use  of  formal  risk  analysis  is  briefly  mentioned  in 
the  Group  IV  position  paper  in  the  preface.    That  is,  there  are  few  consensus 
standards  on  acceptable  risk  criteria.    Since  the  subject  is  not  too  well 
understood  by  large  numbers  of  people  there  has  been  no  substantial  effort  to 
establish  such  criteria.    When  human  health/safety  is  involved,  the  emotional 
and  political  aspects  are  so  pronounced  that  it  becomes  extremely  difficult  to 
establish  any  realistic  risk  criteria. 

One  observation  that  might  be  made  from  the  workshop  is  that  there  is  a 
substantial  need  for  additional  treatment  of  risk  analysis  and  risk  criteria  in 
all  college  curricula  if  society  is  to  cope  adequately  with  the  advances  in  all 
fields  of  technology.    Otherwise,  society  will  be  unnecessarily  burdened  with 
unrealistic  restrictions  and  regulations  generated  by  fear  and  by  purely 
emotional  judgements. 11 
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Chairman's  Closing  Remarks: 


The  position  paper  developed  by  Working  Group  IV  elicited  written  comments  from 
Mr.  Robert  C.  Phillips  of  the  Travelers  Insurance  Group  which  I  have  chosen  to 
include  (above)  as  part  of  the  working  group  report.    Additionally,  Mr.  Henry 
Chen  of  SOHIO  phoned  in  some  comments  to  me  which  largely  parallel  the  senti- 
ments expressed  in  Mr.  Phillips  written  comments.    Additionally  Mr.  Chen 
expressed  the  opinion,  widely  held  within  the  working  group,  that  the  applica- 
tion of  risk  and  reliability  studies  should  not  be  mandated  by  regulation. 

In  closing  I  would  like  to  emphasize  a  few  points  which,  while  treated  in  the 
position  paper,  perhaps  deserve  review,  particularly  in  consideration  of  the 
comments  received.    First  I  wish  to  emphasize  again  the  importance  of  including 
measures  of  confidence  in  risk  and  reliability  work.    The  inclusion  of  confidence 
limits  can  substantially  address  the  concerns  expressed  in  Mr.  Phillips'  opening 
paragraph. 

Second,  I  would  observe  that  probability  is  the  natural  and  preferred  language 
for  discussing  risk.    If  probabilistic  assessments  are  unfamiliar  to  the  user 
public,  then  it  points  to  an  inadequacy  within  our  educational  and  training 
systems  (as  Mr.  Phillips  so  ably  observed)  rather  than  an  inadequacy  in  the 
language  of  expression. 

There  is  a  distinction  to  be  drawn,  in  many  opinions,  between  measures  of  risk 
(by  which  I  mean  the  probability  of  some  event  or  consequence)  and  the  judgement 
or  evaluation  of  a  risk  or  consequence.    Assume  that  in  a  given  problem  the 
risk  of  a  particular  innocuous  structural  failure  is  0.0001,  and  that  in  a 
separate  problem  the  risk  of  the  loss  of  a  human  life  is  also  0.0001.    The  risk 
in  both  instances  is  identical  but  we  would  all  judge  the  consequences  very 
differently.    If  we  strive  (as  recommended  under  research  and  development  needs) 
to  develop  statistical  decision  processes  which  can  structure  and  formalize  the 
judgement  of  these  disparate  consequences  we  will  again  find  the  probability 
calculus  to  be  a  worthy  and  suitable  language  for  expressing  our  results. 

Lastly,  I  wish  to  observe  that  risk  analysis  procedures  are  being  successfully 
applied  within  the  offshore  oil  and  gas  industry  as  a  means  of  reasonably 
addressing  engineering  and  operational  issues  of  limited  scope.    Such  applica- 
tions typically  involve  the  application  of  those  methods  described  in  the 
position  paper  as  second-order  stationary  random  processes  and  usually  pertain 
to  responses  to  waves.    Without  consideration  of  exposure  periods  and  wave 
climatology  such  methods  fall  short  of  what  could  be  regarded  as  a  risk  analysis. 
However,  with  consideration  of  exposure  and  wave  climatologies  a  risk  analysis 
is  obtained.    Such  methods  have  found  particular  application  in  the  areas  of 
logistic  and  support  activities  because  often  very  brief  exposures  are  involved. 

I  would  like  to  take  this  opportunity  to  express  my  thanks  to  the  participants 
in  Working  Group  IV  for  their  contributions  to  the  general  discussion  and  to 
the  working  group  report.    I  would  also  like  to  thank  the  Minerals  Management 
Service  for  sponsoring,  and  the  National  Bureau  of  Standards  for  organizing, 
this  workshop  on  the  application  of  risk  and  reliability  analysis  to  offshore 
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oil  gas  operations.  The  workshop  has  engendered  a  most  worthwhile  exchange 
of  perspectives  and  information. 
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APPENDIX  I 

THEME  PRESENTATIONS  AND  OTHER  CONTRIBUTIONS 


INTRODUCTION 


The  first  part  of  the  workshop  was  dedicated  to  theme  presentations  by  invited 
speakers.    In  addition,  some  of  the  workshop  participants  contributed  valuable 
information.    The  theme  papers  and  contributions  are  presented  in  this  Appendix 
and  summarized  in  the  following  section. 

SUMMARY  OF  PRESENTATIONS 

Mr.  F.  P.  Dunn,  from  Shell  Oil  Company,  presented  an  overview  of  current  practice 
in  the  U.S.  in  exploration,  field  development,  and  operation  and  maintenance. 
The  importance  of  voluntary  industry  standards  was  stressed.    The  standards  are 
also  incorporated  in  government  regulations  (MMS  and  USCG).    Formal  reliability 
analysis  was  used  in  many  instances  to  provide  a  rational  basis  for  the  industry 
standards.    American  Petroleum  Insitute  (API)  Standard  API  2A  on  Offshore 
Structures  is  in  the  process  of  being  changed  to  a  reliability  based  format. 
At  times,  industry  resorts  to  reliability  analysis  to  arrive  at  optimum  solu- 
tions, as  in  the  case  of  exploration  drilling  structures  for  Harrison  Bay  in 
the  Beaufort  Sea.    The  point  was  made  that  risk  analysis  is  not  necessarily  a 
panacea,  and  that  many  accidents  are  caused  by  engineering  or  detailing 
deficiencies  which  would  not  be  prevented  by  risk  analysis. 

Dr.  David  Slater,  from  Technica,  London,  U.K.,  reviewed  various  safety  and 
reliability  assessment  methodologies  applied  to  offshore  installations  and  the 
practical  applications  of  these  methodologies  in  the  North  Sea.  Methodologies 
discussed  were:    Conceptual  Design  Safety  Evaluation;  Hazard  Survey/Hazard 
Inventory;  Process  Safety  Design  Checks;  Hazard  and  Operability  Study/Failure 
Modes  and  Effects  Analysis  (HAZOP/FMEA) ;  System  Reliability/Fault  Tree  Analysis; 
Event  Tree  Analysis;  Cause-Consequence  Diagram;  Structural  Reliability  Analysis; 
Simulation  Techniques;  Risk  Assessment;  Construction  Audit/Pre-Construction 
Check;  and  Safety  Audit. 

Dr.  Slater  noted  that  in  the  North  Sea  at  least  four  full  risk  analyses  were 
performed  in  behalf  of  industry,  and  about  a  dozen  concept  evaluations  were 
carried  out  for  the  Norwegian  Petroleum  Directorate  (NPD).    HAZOP  has  recently 
been  very  widely  used  in  the  North  Sea  because  of  its  advantages  over  API 
Standard  RP  14C  which,  even  though  it  is  simpler  to  apply  than  HAZOP,  does  not 
provide  much  information.    He  also  noted  that  reliability  analysis  is  used  to 
verify  target  reliability  levels  in  production,  to  evaluate  failure  frequencies 
in  complex  plants  as  part  of  a  risk  analysis,  and  to  evaluate  the  effectiveness 
of  protective  systems. 

Dr.  0ysten  Berg,  from  NPD  discussed  the  safety  management  of  offshore  development 
projects  by  NPD.    Offshore  oil  and  gas  production  in  Norway  is  regulated  in 
accordance  with  a  Royal  Decree  dated  October  3,  1975,  which  will  be  updated  in 
the  near  future  as  a  result  of  revisions  following  the  "Alexander  Kielland" 
accident.    Effective  control  of  safety  is  assured  by  "internal  control"  systems, 
in  which  industry  is  responsible  for  enforcing  the  implementation  of  the  safety 
regulations  in  their  own  operations.    The  regulations  require  a  "conceptual 
safety  evaluation"  which  must  document  that  the  initial  concept  chosen  for  the 
field  development  will  result  in  acceptable  safety.    A  system  reliability 
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analysis  has  to  be  performed  considering  all  "design  accidental  events"  (DAE's, 
or  most  unfavorable  situations)  which  can  be  envisioned.    "Improbable"  accidental 
events  are  excluded  from  consideration;  an  "improbable"  event  is  defined  as  one 
which  by  the  best  available  estimates  has  a  probability  of  occurrence  of  less 
than  10~4  per  year.    "Adequacy"  is  measured  by  the  ability  of  main  support 
structures,  escape  ways,  and  shelter  areas  to  remain  functional  or  partly 
functional  during  the  DAE's  considered.    Considerable  R&D  was  sponsored  by  NPD 
between  1978  and  1983  to  facilitate  the  implementation  of  their  safety 
requirements. 

In  addition  to  the  theme  presentations,  the  following  information  was  conveyed: 

Mr.  Struan  Simpson  of  the  E&P  Forum,  discussed  their  study  of  the  relevance  of 
risk  analysis  initiated  in  1981.    The  survey  conducted  to  date,  which  considered 
methodologies  and  typical  application  in  offshore  projects,  indicates  that  risk 
analysis  has  been  used  in  a  wide  range  of  projects,  from  assistance  to  engineering 
design  through  safety  evaluations  for  project  management  and  statutory  agencies. 
While  industry  recognizes  the  value  of  risk  analysis,  it  is  evident  that  these 
analyses  supplement  the  primary  engineering  and  management  processes,  rather 
than  being  a  primary  decisionmaking  tool.    It  was  also  stated  that  risk  analysis 
cannot  identify  hazards  that  are  not  inherent  in  the  basic  engineering  design 
models  and  considerations.    Thus,  risk  analysis  supplemented,  but  did  not 
replace  conventional  engineering  and  management  practices.    Further  studies 
will  consider  the  impact  of  risk  analysis  on  exploration  and  production  projects. 

Mr.  Torkell  Gjerstad  from  Elf  Aquitaine-Norge,  discussed  the  Offshore  Reliability 
Data  (OREDA)  Study.    Statistical  data  are  now  being  collected  from  several  oil 
companies  on  the  performance  of  150  different  components  of  offshore  installations 
in  the  North  Sea  and  the  Adriatic  Sea.    The  data  will  be  published  by  the  end 
of  1984  in  the  form  of  a  reliability  handbook.    The  data  will  be  presented 
generically  and  their  source  will  remain  anonymous.    However,  the  OREDA  Steering 
Committee  will  have  information  on  the  data  source  and  thus  will  be  able  to 
check  the  data,  if  necessary. 
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RELIABILITY  ANALYSIS 
OVERVIEW  OF  CURRENT  PRACTICE 

by 

F.  P.  Dunn 


INTRODUCTION 

I  appreciate  the  opportunity  to  talk  with  you  on  this  rather  important  subject  -- 
risk  analysis,  or,  more  to  my  liking,  reliability  analysis.    I  have  been  asked 
to  comment  on  application  of  reliability  analysis  in  the  offshore  oil  and  gas 
industry  --  how  or  whether  it  is  being  employed,  its  benefits,  limitations, 
etc. 

As  some  of  you  already  know,  the  Oil  Industry  Exploration  and  Production  Forum 
(E&P  Forum)  set  up  a  Working  Group  in  1981  to  study  and  report  upon  the  uses, 
applicability,  and  limitations  of  risk  assessment  in  offshore  exploration  and 
production  operations.    The  Working  Group  made  a  survey  among  member  companies 
in  order  to  ascertain  the  extent  to  which  risk  assessment  is  used  offshore,  for 
what  purpose,  and  with  what  effect.    A  member  of  the  E&P  Forum  will  discuss  the 
efforts  of  the  group  a  little  later. 

I  will  talk  briefly  about  the  various  facets  of  the  offshore  industry,  from 
exploration  to  development  and  production,  with  emphasis  placed  upon  the  methods 
employed  to  achieve  an  acceptable  level  of  reliability  and  safety.    Since  my 
background  is  mostly  offshore  structures,  I  hope  you'll  pardon  me  if  I  spend  a 
little  more  time  on  that  subject  than  on  the  other  aspects  of  our  business. 

I  will  not  concentrate  on  the  formal  mathematical  procedures  involved  in  carrying 
out  a  classical  reliability  analysis  --  you're  not  going  to  see  any  formulas 
with  summations,  probabilities,  or  double  integrals  —  rather  I  will  concentrate 
on  the  fundamental  philosophies,  methods,  and  procedures  employed  by  the  industry 
to  establish  the  desired  level  of  reliability  in  its  activities. 

I  believe  one  of  the  most  important  considerations  in  establishing  and  maintaining 
a  high  degree  of  reliability  in  the  offshore  industry  is  the  development  and 
maintenance  of  codes,  standards,  and  guidelines.    The  knowledge  and  the  experience 
gained  through  the  years  are  documented  in  such  codes,  standards,  and  guidelines 
for  use  by  all.    I  quote  from  an  article  which  appeared  in  the  Marine  Board 
Annual  Report,  1981: 

"The  engineering  profession,  which  serves  both  industry  and 
government,  has  long  recognized  the  need  to  provide  self- 
regulation  and  guidance  to  ensure  the  maintenance  of  professional 
standards  of  design  and  construction.    The  engineering  profession 
in  the  United  States  pioneered  self-regulation  of  many  activities 
before  their  regulation  was  taken  up  by  government,  through  such 
steps  as  professional  licenses,  the  standardization  of  materials 
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and  testing  procedures,  the  development  of  guidance  rules  and 
codes,  and  the  promulgation  of  recommended  practices. 

Similarly,  industry  has  recognized  the  need  to  produce  the 
resources  and  carry  out  activities  in  the  demanding  environment 
of  the  oceans  in  a  safe  manner,  to  ensure  the  ongoing  productivity 
of  its  personnel  and  its  facilities,  and  thus  to  protect  its 
i  nvestment . 

The  engineering  profession  and  industry  have  historically 
joined  together  in  voluntary  actions  to  produce  a  wide  range  of 
consensus  standards. "1 

Many  organizations  participate  in  creating  these  documents  --  the  Coast  Guard, 
the  Minerals  Management  Service,  industry  organizations  such  as  the  American 
Petroleum  Institute  (API),  the  American  Bureau  of  Shipping  (ABS),  professional 
societies  like  the  American  Society  of  Mechanical  Engineers  (ASME),  and  various 
domestic  and  foreign  standards  writing  organizations.    All  of  these  organizations 
have  cooperated  in  creating  a  fairly  comprehensive  set  of  documents,  whose 
purpose  is  basically  to  provide  for  an  acceptable  level  of  reliability  in 
conducting  various  activities. 

Formal  reliability  analyses  have  been  employed  frequently  in  creating  rational 
bases  for  the  contents  of  these  documents,  and  I  will  point  out  later  a  few 
examples  of  the  use  of  such  analyses  in  some  of  our  operations. 


EXPLORATION 

There  are  three  major  categories  of  equipment  used  in  offshore  exploration 
activities:    (1)  seismic  vessels;  (2)  mobile  offshore  drilling  units;  and 
(3)  support  vessels,  e.g.,  crew  boats,  helicopters,  etc. 

1.     Seismic  Vessels 

Seismic  vessels,  as  a  percentage  of  the  whole,  represent  a  very  small  part  of 
offshore  operations.    Therefore,  I  will  not  only  point  out  in  passing  that  such 
vessels  and  their  maritime  appurtenances  are  regulated  under  USCG  regulations, 
ABS  certification  requirements,  and  the  International  Convention  on  Safety  of 
Life  at  Sea,  1974.    Also,  the  maritime  personnel  on  board  are  subject  to 
government  license  requirements. 

Reliability  in  these  operations  is  provided  as  a  part  of  the  normal  course  of 
business  through  the  use  of  industry  codes  and  standards,  government  regulations 
and  certif iciation  requirements. 


1  "The  Employment  of  Voluntary  Consensus  Standards  in  the  Regulation  of 
Offshore  Development,"  Ben  C.  Gerwick,  Jr.,  Chairman,  Marine  Board, 
National  Academy  of  Sciences. 
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2.     Mobile  Offshore  Drilling  Units  (MODUs) 


Drilling  units  were  designed,  built,  and  operated  under  guidelines  and  voluntary 
standards  written  primarily  by  industry-sponsored  organizations  until  1979. 
Since  that  time  all  U.S.  flag  MODUs  have  been  certified  by  the  USCG^.  The 
units  are  surveyed  by  the  ABS  and  carry  an  ABS  classification.    The  design  and 
construction  of  industrial  equipment  on  board  these  units  is  subject  to  industry 
standards,  whereas  the  maritime  equipment  on  the  vessels  is  controlled  by  USCG 
certification  requirements  for  Mobil  Offshore  Drilling  Units. 

The  same  is  true  for  personnel.    During  drilling  operations,  the  industrial 
personnel  on  board  are  not  licensed  by  the  Coast  Guard.    While  underway  though, 
varying  maritime  licensing  requirements  apply  depending  on  whether  the  vessel 
is  capable  of  independent  navigation. 

The  USCG  now  requires  that  MODU  industrial  systems  be  designed  in  accordance 
with  the  principles  of  API  14C  (Analysis,  Design,  Installation,  and  Testing  of 
Basic  Surface  Safety  Systems  on  Offshore  Platforms). 

Further,  the  industrial  systems  must  be  analyzed  and  certified  to  comply  with 
other  applicable  industry  standards. 

Thus,  since  1979,  there  has  been  a  U.S.  regulatory  requirement  for  the  formal 
application  of  the  principles  of  designed-in  safety  protection  from  potentially 
hazardous  conditions,  with  consideration  for  inclusion  of  a  safe  alternative 
when  there  is  failure  of  a  primary  industrial  component.    Several  different 
types  of  reliability  analyses,  such  as  damage  assessment  studies,  hazards 
identification  analyses,  studies  on  causes  of  blowouts,  etc.,  have  been  done 
and  are  done  as  routine  evaluations. 

In  summary,  then,  there  are  four  categories  of  design  standards  for  a  Mobile 
Offshore  Drilling  Unit: 

1.  Voluntary  standards  for  the  industrial  equipment; 

2.  ABS  classification  standards; 

3.  USCG  requirements  (in  excess  of  ABS)  in  areas  such  as  lifesaving 
appl i  ances; 

4.  Requirements  to  facilitate  international  travel: 

a.      International  Convention  for  the  Safety  of  Life  at  Sea  (SOLAS) 
1974  for  self-propelled  vessels. 


Foreign  flag  units  must  have  a  "Letter  of  Compliance"  issued  by  the  USCG. 
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b.     International  Maritime  Organization  -  Code  for  the  Construction 
and  Equipment  of  Mobile  Offshore  Drilling  Units  (MODU  code). 

With  the  exception  of  very  special  categories  such  as  lifesaving  appliances, 
the  primary  difference  between  application  of  the  voluntary  standards  in  the 
first  category  and  the  other  three  categories  is  a  requirement  for  third  party 
verification  that  the  vessel  in  fact  complies  with  a  standard.    In  most  cases, 
the  standard  used  is  a  standard  developed  through  the  voluntary  system.  For 
illustration,  the  ABS  has  a  special  committee  on  Mobile  Offshore  Drilling  Units 
which  is  composed  of  industry,  Coast  Guard,  and  ABS  personnel.    This  committee 
drafts  the  ABS  requirements.    The  result  is  an  industry  voluntary  standard 
which  is  administered  by  ABS,  accepted  by  the  U.S.  Coast  Guard  for  national 
and  international  purposes,  accepted  by  insurance  companies  for  insurance 
purposes  and  paid  for  by  industry. 

3.     Offshore  Support  and  Standby  Vessels 

The  third  category  is  offshore  support  vessels.    These  vessels  are  common  in 
all  phases  of  offshore  operations.    Most  of  the  vessels  are  now  operating  as 
USCG  certified  vessels.    Again,  reliability  analyses  of  one  form  or  another 
have  been  employed  by  industry,  ABS,  and  the  government  to  assist  in  developing 
applicable  codes  and  standards. 

A  very  important  support  vessel  for  offshore  operations  is  the  helicopter. 
Most  helicopter  operations,  including  the  licensing  of  the  pilot,  and  the 
design,  construction,  and  maintenance  of  the  helicopter,  are  closely  controlled 
by  the  Federal  Aviation  Authority  (FAA).    The  offshore  landing  areas  are 
designed,  constructed,  and  operated  in  accordance  with  industry  standards  such 
as  API  RP  2L,  Recommended  Practice  for  Planning,  Designing  and  Constructing 
Heliports  for  Fixed  Offshore  Platforms,  and  the  Helicopter  Safety  Advisory 
Committee  (HSAC)  manual.    Component  reliability  analyses  have  been  conducted 
for  helicopter  operations,  primarily  by  the  manufacturers. 


FIELD  DEVELOPMENT 

A.  Structures 

There  are  three  distinct  phases  for  development  of  oil  and  gas  leases  offshore. 
The  first  is  the  installation  of  the  structure  to  be  used  for  drilling  the 
development  wells,  the  second  is  the  drilling  of  those  wells,  and  the  third  is 
the  installation  of  production  and  pipeline  facilities. 

First,  a  suitable  structure  must  be  designed  and  installed  taking  into 
consideration  water  depth,  environmental  climate,  foundation  conditions,  size 
of  facilities,  etc. 

The  basic  philosophy  of  the  offshore  industry  has  been  to  provide  redundancy  or 
alternative  solutions  where  experience  or  analysis  indicates  possibility  of 
failure,  in  order  to  minimize  the  consequences  of  failure.    This  philosophy  is 
embodied  in  the  industry  guideline  API  RP  2A.    This  document  was  written  by 
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knowledgeable  representatives  of  various  companies,  updated  as  appropriate,  and 
supported  by  the  cumulative  research  and  development  efforts  of  the  industry 
(upwards  of  200  million  dollars  over  the  past  10  years).    I  have  been  a 
participant  in  this  effort  for  almost  20  years,  and  I  know  that  uppermost  in 
the  minds  of  the  participants  who  wrote  this  document  was  the  desire  to  create 
the  best  technical  document  possible,  balancing,  on  the  one  hand,  the  cost  of 
over-conservatism,  and  on  the  other  hand,  the  consequences  of  failure.  Decisions 
of  this  sort  were  not  made  arbitrarily.    They  were  made  by  experienced  people 
who  fully  understood  the  consequences  of  these  decisions. 

I  would  now  like  to  discuss  a  specific  example  of  the  use  of  formal  reliability 
analyses  in  our  business.    These  methods  have  been  employed  to  establish  design 
criteria  for  some  areas  where  we  operate,  like  the  Gulf  of  Mexico.    First,  we 
establish  what  level  of  reliability  we  need  to  acheive.    Figure  1  shows  one 
reasonable  means  of  achieving  the  answer.    Basically,  an  optimization  process 
is  involved  wherein  the  analyst  proceeds  through  several  iterations  of  design, 
making  the  structure  stronger  (and  more  costly),  but  also  reducing  the  probability 
of  failure.    The  analyst's  goal  is  to  find  an  equitable  balance  between  costs 
(first  cost  plus  failure  cost)  and  reliability.    Desirable  criteria  can  then 
be  established  and  incorporated  into  a  design  code  or  recommended  practice, 
such  as  RP  2A.    An  absolute  necessity  in  this  exercise  is  calibration  with 
reality  --  we  must  check  our  descriptions  of  the  environment  and  our  estimates 
of  structural  strength  with  actual  experience.    If  necessary  then,  we  change 
our  analytical  model  to  correspond  with  that  experience.    Too  often  this  is 
not  done,  and  as  a  consequence,  the  analysis  is  of  little  real  value. 

I  might  also  mention  that  the  API  Task  Group  on  Offshore  Structures  is  now  in 
the  process  of  changing  RP  2A,  the  industry  guideline,  to  a  relaibil ity-based 
format.    This  has  been  going  on  for  the  last  4  or  5  years.    A  draft  of  the 
revised  Recommended  Practice  will  be  published  within  2  years.    Moreover,  the 
American  Institute  of  Steel  Construction  has  just  published  a  draft  of  their 
Load  and  Resistance  Factor  Design  Code,  which  will  be  used  for  certain  designs. 

At  times  there  is  need  to  perform  reliability  analyses  in  order  to  assist  in 
arriving  at  an  optimum  solution  when  presented  with  various  courses  of  action. 
Such  techniques  were  recently  used  to  determine  the  relative  ranking  of  several 
proposed  exploration  drilling  structures  for  Harrison  Bay  in  the  Beaufort  Sea 
offshore  Northern  Alaska.    The  primary  objective  was  to  determine  the  feasibility 
of  a  particular  concept  based  upon  its  probability  of  being  driven  off  location 
due  to  ice  loads. 

Ice  forces  for  Harrison  Bay  were  computed  probabilistically,  using  an  ice 
simulation  model  to  forecast  the  structure's  exposure  to  multi-year  ice  floes 
on  a  seasonal  basis.    The  ice  environment  was  subdivided  into  four  ice  seasons 
break-up,  summer,  freeze-up,  and  winter  —  that  were  modeled  using  site  specific 
environmental  data.    Annual  and  seasonal  ice  force  distributions  resulting  from 
multi-year  ice  floe  collisions  were  subsequently  computed  using  both  empirical 
and  mechanistic  relationships  that  have  been  calculated  with  both  small-  and 
large-scale  test  results. 
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EXAMPLE  -  VALUE  ANALYSIS 


0.1         0.2         0.4  0.6      1.0         2      3  5 
PROBABILITY  OF  FAILURE  (%/year) 


Figure  1. 


Application  of  Reliability  Analysis  in  Cost  Optimization 
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The  probabilistic  loads  were  combined  with  structure  foundation  resistance 
distributions  using  a  conventional  reliability  analysis  to  determine  the 
concept's  ability  to  resist  lateral  load.    The  annual  probability  of  being 
driven  off  location  was  computed  for  soil  conditions  where  the  resistance 
function  does  not  vary  with  time  (sand  and  stiff  clay  sites  in  which  consolida- 
tion effects  are  not  important).    At  the  weaker  clay  sites,  where  the  lateral 
resistance  increases  in  time  through  consolidation,  seasonal  reliabilities  were 
determined  assuming  an  average  resistance  throughout  the  season.    The  seasonal 
reliabilities  were  combined  to  determine  the  annual  resistance  reliability. 
The  structural  concepts  were  then  ranked  in  order  of  their  calculated  resistances. 
Quite  an  interesting  and  valuable  evaluation. 

Formal  reliability  analyses  have  thus  been  employed  as  a  tool  to  arrive  at 
optimum  choices  in  determining  design  criteria,  or  to  choose  a  particular  course 
of  action  when  confronted  with  several  reasonable  choices.    It  is  important, 
however,  to  remember  that  such  analyses  are  only  tools      they  do  not  supplant 
experienced  engineering  judgement  --  they  only  assist  in  making  a  more  rational 
judgement. 

I  have  seen  some  reliability  analyses  which,  while  done  using  acceptable  methods, 
reach  the  wrong  conclusions.    An  example  of  this  is  an  analysis  which  indicates 
that  one  should  not  pay  a  premium  in  order  to  reduce  the  likelihood  of  an 
undesirable  consequence,  because  the  likelihood  is  so  small.    Well,  in  some 
cases,  one  simply  cannot  afford  the  consequences  under  any  circumstances  (e.g., 
bankruptcy),  so  he  will  pay  the  premium. 

I  have  also  seen  some  rather  sophisticated  analyses  which  really  do  nothing 
more  than  "prove"  that  the  choice  of  action  favored  by  the  analyst  (or  his 
boss)  is  indeed  the  correct  choice. 

There  are  many  other  considerations  which  are  more  important  in  contributing  to 
system  reliability  than  formal  risk  analysis.    Competent  people  are  on  the  top 
of  the  list.    No  amount  of  sophisticated  analyses  can  substitute  for  intelligent, 
experienced,  hard-working  people.    Moreover,  we  must  encourage  such  people  to 
document  their  experience  in  codes  and  standards,  so  that  others  can  benefit. 

In  our  offshore  structures  business,  I  would  much  prefer  having  an  engineer 
knowledgeable  about  materials," welding  and  welded  connections  than  one 
knowledgeable  about  risk  analysis.    I  will  go  further  than  that  --  I  would 
advise  my  son,  a  structural  engineering  student,  to  take  courses  offered  in 
materials,  welding,  and  connection  details  rather  than  any  courses  in  reliability 
analysis  per  se.    I  believe  that  any  study  of  failures  of  buildings,  bridges, 
offshore  structures,  etc.,  will  conclude  that  most  of  the  failures  are  caused 
by  poor  selection  of  material  or  lack  of  attention  to  detail  (especially  of 
connections),  either  by  the  design  engineer  or  the  builder.    It  seems  that 
almost  every  week  we  read  in  Engineering  News  Record  of  some  failure  caused  by 
one  or  the  other  of  these  problems. 

I  therefore  believe  that  we  can  move  much  more  efficiently  toward  more  reliable 
structures  and  systems  by  concentrating  our  efforts  on  more  intense  review  of 
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design  and  more  attention  to  inspection  of  construction,  so  that  we  will  have  a 
better  chance  of  catching  the  blunders  that  cause  most  of  our  failures. 

B.  Drilling  and  Well  Control 

The  second  phase  in  field  development  commences  after  the  structure  is  in  place. 

The  rig  illustrated  in  this  slide  is  portable  and  has  an  extended  life  expentancy 
of  about  20  years.    The  unit  is  built  to  meet  industry  codes  and  standards. 
The  list  of  such  codes  and  standards  is  extensive,  as  you  can  see. 

Subsurface  well  controls  are  designed  and  operated  in  accordance  with  the  API  14 
series  of  specifications  and  recommended  practices.    As  an  aid  in  creating 
these  documents,  a  typical  risk  analysis  was  conducted  for  a  well  completion 
system  in  order  to  compare  reliability  of  key  components  of  the  system.  The 
primary  source  of  data  was  operators'  experience;  secondary  source  was  United 
States  Geological  Survey  records  on  safety  valve  failure.    The  objective  of  the 
study  was  to  optimize  equipment  performance  and  to  develop  data  for  studying 
sensitivity  of  system  reliability  with  respect  to  key  components.  Reliability 
analyses  were  performed  using  logic  diagrams.    The  results  demonstrated  marked 
penalties  for  complicated  well  completion  systems  and  determined  a  probability 
of  blowout  among  competing  systems. 

C.  Production  Facilities 

The  third  phase  occurs  after  drilling  is  completed.    The  rig  is  removed  and 
producing  facilities  are  installed  on  the  platform. 

These  facilities  are  designed  and  constructed  utilizing  a  broad  spectrum  of 
voluntary  industry  standards  and  recommended  practices.    For  the  most  part, 
design  criteria  used  are  the  same  as  are  used  in  onshore  refineries  and  chemical 
plants.    There  are  cases  where  it  is  necessary  to  have  specific  offshore 
standards.    These  are  usually  written  as  API  standards  or  recommended  practices, 
such  as  API  RP  2A,  previously  discussed.    These  documents  represent  an  assembly 
of  proven  technology,  written  by  engineers  who  take  advantage  of  industry  R&D 
efforts  to  arrive  at  rational  criteria  and  guidelines.    Depending  on  the  purpose, 
the  documents  are  issued  as  specifications,  standards,  recommended  practices, 
guides,  bulletins,  etc. 

In  the  case  of  production  facilities,  there  is  an  MMS  regulatory  requirement 
that  the  facilities  be  protected  with  a  system  designed,  analyzed,  tested,  and 
maintained  in  accordance  with  the  provisions  of  API  14C.    The  purpose  of  the  API 
standard  is  to  protect  personnel,  the  environment,  and  the  facility,  i.e., 
identify  undesirable  events  and  define  measures  to  prevent  or  minimize  their 
effect. 

D.  Pi  pel ines 

Pipeline  systems  are  usually  built  while  production  facilities  are  being 
installed.    Gas  and  oil  are  normally  separated  offshore  and  transported  via 
separate  pipelines  to  onshore  facilities.    These  pipelines  are  usually  common 
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carrier  facilities  and  are  designed,  installed,  and  operated  in  accordance  with 
49  Code  of  Federal  Regulations  (CFR)  192  and  49  CFR  195.    These  regulations 
incorporate  the  voluntary  standards  listed  below  as  appropriate. 

Interconnecting  field  pipelines  are  designed  in  accordance  with  American 
National  Standards  Institute  (ANSI)  voluntary  standard  B  31.4  Liquid  Petroleum 
Transportation  Piping  Systems  and  ANSI  B  31.8  Gas  Transmission  and  Distribution 
Piping  Systems.    The  regulatory  agency  having  jurisdiction  over  common  carrier 
pipelines  is  the  Department  of  Transportation.    The  MMS  administers  governmental 
requirements  on  intra-field  lines  under  OCS  Order  Nos.  5  and  9. 


OPERATION  AND  MAINTENANCE 

The  industry  philosophy  on  operation  and  maintenance  varies,  understandably, 
with  the  company  and/or  type  of  equipment  and  operations. 

Most  companies  operating  on  the  Outer  Continental  Shelf  have  standard  safe 
practices,  operating  procedures,  and  training  requirements  which  are  designed 
to  provide  for  operating  efficiently  and  for  the  prevention  of  unplanned 
incidents.    These  operating  procedures  incorporate  industry  practices  and 
government  regulations  as  appropriate.    The  same  is  true  for  maintenance.  I 
have  chosen  cranes  as  a  piece  of  equipment  to  illustrate  further  how  the  system 
works  and  how  U.S.  governmental  requirements  and  industry  voluntary  standards 
are  meshed  to  minimize  risk. 

Cranes  are  a  very  necessary  piece  of  equipment  offshore.    They  provide  the 
final  link  in  the  supply  line  to  and  from  onshore.    Due  to  limited  offshore 
storage,  an  inoperative  crane  quickly  brings  operations  to  a  standstill. 

The  MMS  requires  that  API  Specification  2C,  Offshore  Cranes,  be  used  as  a 
guideline  for  the  selection  of  cranes.    The  USCG  requires  that  cranes  for  MODUs 
be  designed  in  accordance  with  API  Specification  2C.    Similarly,  both  agencies 
require  that  operation  and  maintenance,  including  personnel  qualifications,  be 
in  accordance  with  API  RP  2D  for  Operation  and  Maintenance  of  Offshore  Cranes. 

Acceptable  loading  and  environmental  criteria  are  set  out  as  appropriate  in 
Specification  2C.    Guidelines  for  training  and  qualifying  personnel  as  operations 
and  maintenance  personnel  are  included  in  RP  2D.    Also  included  are  recommended 
practices  on  operation,  inspection,  testing,  and  maintenance.    These  procedures 
are  designed  to  keep  the  crane  in  a  satisfactory  condition  to  operate  within 
its  designed  capability.    Again,  the  writers  of  this  RP  pooled  their  cumulative 
knowledge  and  experience  over  the  last  20  years  to  create  a  guide  for  other 
less  experienced  to  follow.    Formal  analyses  of  several  types  were  conducted, 
both  by  manufacturers  and  by  operators,  including  fault  tree  analyses, 
cause/consequence  diagrams,  etc.    The  results  were  used  as  background  for  the 
recommendations. 
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CONCLUSION 


We  have  just  completed  an  overview  of  the  major  aspects  of  offshore  operations. 
The  experience  and  knowledge  of  many  members  of  the  industry  and  the  extensive 
R&D  budgets  of  the  many  companies  involved  have  been  employed  to  arrive  at 
voluntary  standards,  codes,  and  recommended  practices  for  safe  and  reliable 
conduct  of  these  operations. 

In  summary,  we  take  risks  in  whatever  we  do  and  their  existence  should  be 
recognized.    The  primary  advantage  of  a  systematic  analysis  of  these  risks  is 
that  the  analysis  assists  greatly  in  understanding  the  major  sources  of  these 
risks  and  how  important  they  may  be.    It  points  the  way  to  a  decision  to  proceed 
or  not  proceed  with  a  project,  or  an  optimum  choice  of  alternatives,  or  a  more 
rational  choice  of  safety  factors  and  design  criteria.    However,  it  is  not  a 
panacea  —  it  is  a  tool  for  the  analyst,  and  like  any  other  tool,  it  is  as 
valuable  as  the  intelligence  and  experience  of  the  analyst  makes  it. 

Reliability  analysis  has  its  place,  but  it  will  not  substitute  for  sound 
engineering  judgement,  thorough  analyses,  and,  most  important,  attention  to 
those  million  and  one  details  which,  together,  make  up  the  whole  of  a  structure, 
a  drilling  rig,  well,  production  facility,  or  pipeline.    Almost  as  important, 
in  my  opinion,  is  the  documentation,  via  guidelines  and  standards,  of  the 
knowledge  and  experience  of  good  engineers,  so  that  less  capable  and/or  less 
experienced  engineers  can  take  advantage  of  that  expertise. 
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METHODOLOGIES  FOR  THE  ANALYSIS  OF  SAFETY  AND  RELIABILITY  PROBLEMS 
IN  THE  OFFSHORE  OIL  AND  GAS  INDUSTRY 

by 

Dr.  D.  H.  Slater  and  Dr.  R.  A.  Cox 


ABSTRACT 

This  paper  gives  a  comprehensive  review  of  safety  and  reliability  assessment 
methodologies  as  applied  to  offshore  installations,  with  special  reference  to 
North  Sea  experience.    There  are  several  distinct  techniques  which  may  be 
appl ied. 

•  "Conceptual  Design  Safety  Evaluation" 

•  Hazard  and  Operability  Study 

•  Fault  Tree  Analysis 

•  Event  Tree  Analysis 

•  Structural  Reliability  Analysis 

•  Simulation  Techniques 

•  Risk  Analysis 

In  the  paper,  these  techniques  are  discussed  in  terms  of  their  relevance  and 
usefulness  in  offshore  problems.    The  extent  of  practical  application  of  these 
methodologies  in  the  offshore  oil  and  gas  industry,  and  the  results  from  this 
experience,  are  reviewed. 
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1.  INTRODUCTION 


Development  of  offshore  oil  and  gas  in  the  North  Sea  has  necessitated  construction 
of  very  large  platforms,  accommodating  several  hundred  people  in  an  unusually 
inhospitable  environment.    Major  accidents  have  already  occurred  -  notably  the 
capsize  of  the  semisubmersible  Alexander  Kielland,  the  Ekofisk  blowout  and  the 
collapse  of  the  Sea  Gem  jack-up.    As  a  result,  there  is  great  interest  in 
achieving  a  better  understanding  of  offshore  risks  and  in  improving  designs  and 
evaluating  the  effectiveness  of  such  improvements.    Techniques  of  safety  analysis 
play  an  important  part  in  this  effort. 

The  last  decade  has  seen  a  tremendous  growth  in  the  application  of  formal 
analytical  techniques  to  hazard  analysis  and  loss  prevention  in  the  chemical, 
petroleum,  and  offshore  industries.    The  array  of  methods,  each  with  an  impressive 
title  or  acronym,  is  bewildering  on  first  acquaintance,  the  more  so,  because 
individual  methods  have  often  been  presented  as  if  they  were  the  one  and  only 
solution  to  the  loss  prevention  problem.    The  truth,  however,  is  that  the 
problem  themselves  are  many  and  varied,  and  different  methods  are  required  in 
order  to  deal  with  them.    It  is  quite  rare  to  find  a  real  choice  of  method, 
once  the  problem  has  been  correctly  formulated. 

Most  of  the  techniques  developed  to  date  are  designed  for  application  during 
the  development  of  a  specific  project.    It  is  therefore  easiest  to  discuss  them 
by  reference  to  the  normal  sequence  of  project  development  phases:  conceptual 
design  and  planning;  detailed  design;  construction;  commissioning  and  operation 
(see  Figure  1).    The  guiding  principle  is  to  carry  out  each  analysis  at  such  as 
stage  in  the  project  that  it  is  still  possible  to  make  the  particular  types  of 
changes  that  the  analysis  may  suggest.    Thus,  for  example,  it  is  appropriate  to 
carry  out  an  initial  survey  of  the  principal  hazards  involved  (e.g.,  drilling, 
riser  pipes,  etc.)  while  the  platform  layout  is  still  being  developed,  not  as 
an  afterthought.    A  list  of  techniques  and  their  applications  is  given  below; 
the  techniques  are  reviewed  in  more  detail  in  the  next  section. 

HAZARD  SURVEY/HAZARD  INVENTORY 

Identifies  all  stocks  of  hazardous  materials  or  energy,  with  relevant  details 
of  conditions  of  storage.    Identifies  platform  features  of  fundamental  importance 
for  safety,  e.g.,  riser  pipes  connected  to  major  product  pipelines,  drilling 
equipment,  fuel  stocks,  crane  operations  and  so  on.    (Conceptual  design  stage.) 

"CONCEPTUAL  DESIGN  SAFETY  EVALUATION" 

Used  in  the  Norwegian  Sector  to  help  identify  "design  accidental  events"  which 
are  used  to  define  the  accident  survival  capacity  of  the  installation. 
(Conceptual  design  stage.) 

PROCESS  SAFETY  DESIGN  CHECKS 

Typified  by  use  of  internal  controls  and  checking  within  the  design  team,  and 
the  application  of  API  RP  14C  type  analysis.    (Detailed  design  stage.) 
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Figure  1.    Hazard  Analyses  During  the  Development  of  a  Project 
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HAZARD  AND  OPERABILITY  STUDY/FAILURE  MODES  AND  EFFECTS  ANALYSIS 


For  identifying  failure  modes  that  could  occur  in  the  process  plant  and  might 
have  undesirable  consequences.    (Detailed  design  stage.) 

RELIABILITY  STUDIES  (SINGLE  EQUIPMENT) 

Usually  a  statistical  analysis  of  failure  rates  on  a  critical  component  (e.g., 
turbine)  with  a  view  to  optimizing  redundancy  or  maintenance  provisions. 
(Detailed  design  or  operational  stage.) 

SYSTEMS  RELIABILITY/FAULT  TREE  ANALYSIS 

These  techniques  are  used  for  estimating  the  frequency  of  failures  of  a  system 
involving  many  components  (e.g.,  pressure  control  of  a  vessel).    Dominant  causes 
of  failure  are  identified.    (Detailed  design  stage.) 

EVENT  TREE  ANALYSIS 

Used  to  find  the  various  possible  outcomes  of  a  given  initiating  event  (used  in 
Risk  Assessment  -  see  below). 

CAUSE-CONSEQUENCE  DIAGRAMS 

A  flexible  method  for  presenting  system  reliability  problems,  including  features 
of  both  fault  and  event  trees,  with  allowance  for  time  delay  factors.  (Detailed 
design  stage.) 

STRUCTURAL  RELIABILITY  ANALYSIS 

This  includes  analysis  of  extreme  seismic,  wind,  and  wave  loadings  and  considers 
collapse  states  rather  than  design  (elastic)  stages,  defect-tolerance  and  impact 
resistance.    (Detailed  design  stage.) 

SIMULATION  TECHNIQUES 

These  are  used  for  many  purposes.    A  good  example  is  simulation  of  emergency 
evacuation  sequences,  using  Monte  Carlo  or  event  tree  methods.    (Detailed  design 
stage. ) 

RISK  ASSESSMENT 

Quantification  of  the  total  risk  (to  life,  capital  investment,  or  production) 
associated  with  a  hazardous  process.    This  is  used  to  check  on  the  adequacy  of 
the  design  by  identifying  the  most  significant  contributors  to  risk  and  indicating 
how  improvements  may  be  achieved,  if  required.    It  can  also  show  that  a  specific 
proposed  improvement  is  ineffective.    (Detailed  design  stage.) 
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CONSTRUCTION  AUDIT/PRE-COMMISSIONING  CHECK 


A  check  that  the  plant  as  built  conforms  to  required  standards  and  to 
recommendations  made  in  earlier  safety  studies.    (Construction  stage.) 

SAFETY  AUDIT 

This  normally  refers  to  a  check  of  the  plant  hardware  and  operating  procedures 
after  some  time  in  operation.    (Operational  stage.) 

Although  some  of  these  techniques  have  been  part  of  the  oil  and  gas  scene  for  a 
long  time,  others  are  new  to  the  industry  and  introduce  revolutionary  ways  of 
thinking.    For  example,  Fault  Tree  Analysis  makes  possible  a  process-specific 
evaluation  of  the  need  for  extra  redundancy  or  particular  attention  to  maintenance 
of  critical  items;  this  cannot  be  so  well  addressed  under  the  procedures  of  the 
established  Code  of  Practice  API  RP  14C  because  it  does  not  take  account  of  the 
reliability  characteristics  of  specific  items  of  equipment,  nor  of  the  likelihood 
of  various  different  process  upsets  occurring  in  the  first  place.    Fault  Tree 
Analysis  can  show  the  designer  where  to  make  economies  and  where  to  spend  money; 
it  also  tells  the  operational  maintenance  people  what  to  spend  time  on,  and 
what  to  ignore. 

A  second  example  is  the  Norwegian  "Concept  Safety  Evaluation."    This  tells  the 
designer  what  accident  scenarios  are  sufficiently  likely  that  he  ought  to  design 
for  them  -  at  least  on  a  "survivability"  basis. 

These  ideas  are  new  and  of  obvious  value  to  practitioners  in  the  industry.  It 
is  therefore  not  surprising  that  the  oil  and  gas  industry  in  the  North  Sea  has 
taken  up  these  techniques  with  enthusiasm  and  is  actively  pursuing  their  further 
development.    The  techniques  themselves  are  discussed  in  more  detail  in  Section 
2  of  this  paper,  while  a  review  of  North  Sea  experience  is  given  in  Section  3. 
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2.    TECHNIQUES  AND  THEIR  APPLICATIONS 


2.1  INITIAL  HAZARD  SURVEYS 

These  are  an  essential  preliminary  to  many  safety  studies.    The  survey  consists 
of  inventorizing  all  stocks  of  hazardous  material  or  energy  and  noting  relevant 
details  of  storage  conditions.    When  carried  out  at  the  conceptual  stage  of  a 
project,  such  a  survey  can  contribute  to  layout  optimization  and  may  suggest 
process  changes  to  reduce  stored  quantities.    It  generates  information  that  can 
be  used  in  a  preliminary  risk  assessment,  but  the  hazard  survey  itself  is  little 
more  than  "screening"  exercise  designed  to  identify  problem  areas. 

For  offshore  installations,  particular  attention  is  given  to  equipment  items 
with  either  a  large  hazard  potential  (e.g..  pipeline  risers)  or  a  high  probability 
of  occurrence  (e.g.,  pump  or  compressor  leakage)  or  both  (e.g.,  blowouts).  These 
considerations  often  have  an  important  influence  on  platform  layout  or  overall 
design  concept.    For  example,  it  is  now  recognized  that  riser  pipes  located 
inside  concrete  platform  structures  are  much  less  likely  to  fail  than  the 
exposed  riser  typical  of  steel  jacket  installations.    Also,  the  distance 
separating  drilling  areas  from  living  quarters  has  been  optimized  (see  the  side 
elevation  of  the  Norwegian  "Gullfaks  A"  platform  -  Figure  2  -  which  is  an 
outstanding  example  of  a  layout  strongly  influenced  by  fundamental  safety 
thinking  at  the  initial  design  stage). 

2.2  "CONCEPT  DESIGN  SAFETY  EVALUATION"  (NORWAY) 

Concern  over  offshore  safety  has  led  to  Norwegian  Petroleum  Directorate  to 
impose  a  requirement  for  the  execution  of  a  thorough  safety  evaluation  at  the 
"conceptual  design  stage"  of  any  development  of  fixed  installations  in  the 
Norwegian  sector.    Approval  of  the  developer's  Main  Plan  (a  vital  step  in  the 
authorization  procedure)  is  now  effectively  contingent  upon  submission  of  a 
safety  evaluation  accepted  by  the  NPD. 

Guidelines  for  the  approach  to  be  adopted  in  carrying  out  these  safety  evalua- 
tions have  been  published  (Norwegian  Petroleum  Directorate,  1981)  and  these 
are  firmly  based  in  the  concepts  of  risk  analysis,  although  adapted  so  as  to 
maximize  the  direct  usefulness  of  the  analysis  to  the  platform  designers. 

The  object  of  this  approach  is  to  divide  the  complete  list  of  failures  (or 
"accidental  events"  as  they  are  called  in  this  context)  into  two  groups: 

1.  A  group  of  "Design  Accidental  Events"  whose  consequences  must  be  small 
enough  to  allow  safe  evacuation  of  all  personnel  not  in  the  immediate 
vicinity  of  the  event; 

2.  A  group  of  "Residual  Accidental  Events"  whose  consequences  may  be  such 
as  to  exclude  them  from  group  1,  but  whose  total  expected  frequency  must 
not  exceed  a  stated  level  (of  the  order  of  10-4  to  io_3  per  platform-year, 
depending  on  the  interpretation). 
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Figure  2.    Side  Elevation  -  Gullfaks  "A"  Platform 
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This  division  elegantly  achieves  two  objectives: 

first,  while  acknowledging  that  a  finite  risk  of  a  severe  disaster  must  be 
accepted,  it  analyzes  this  risk  and  seeks  to  keep  it  below  a  target  level; 

second,  it  provides  "design  cases"  which  can  be  put  in  a  form  that  plat- 
form designers  can  use  within  conventional  design  procedures. 

The  accidential  events  include  process  failures,  wellhead  accidents,  helicopter 
and  ship  collisions,  structural  failures  and  extreme  environmental  loadings 
(notably  waves).  The  division  between  Design  and  Residual  accidental  events  is 
determined  by  the  total  frequency  of  the  latter  so  that  a  large  and  complex 
platform  may  have  to  be  designed  for  more  severe  failure  cases  than  a  small 
simple  one.  This,  of  course,  is  reasonable  in  the  interests  of  maintaining 
acceptably  low  risk  levels  for  all  offshore  personnel. 

Safety  evaluations  of  the  kind  just  described  use  consequence  models  that  are 
adapted  for  the  particular  circumstances  of  offshore  platforms.    For  example, 
they  include  models  for:    gas  explosions  in  confined  spaces,  damage  to  structures 
from  heat  or  impacts;  burning  liquid  on  the  sea,  and  so  on. 

The  studies  also  call  for  a  probability  analysis  of  the  accidental  events.  The 
best  data  on  failure  rates  of  offshore  equipment  are  those  from  the  Gulf  of 
Mexico,  although  care  is  required  in  applying  them  to  North  Sea  conditions. 
Unfortunately,  attempts  to  collect  data  directly  for  North  Sea  operations  have 
not  progressed  far  yet,  although  the  Norwegian  "OREDA"  project  should  achieve 
this  objective  in  due  course. 

Some  10  to  12  of  these  safety  evaluations  have  been  carried  out  so  far  but  the 
full  reports  are  not  usually  published.    A  paper  by  Pyman  and  Gjerstad  (1983) 
gives  a  short  description  of  one  of  these  studies  and  concludes  that  the  NPD's 
Concept  Safety  Evaluation  procedure  is  "a  modern,  practial  and  constructive 
method  of  ensuring  an  acceptable  level  of  safety  in  basic  engineering  design." 

2.3    DESIGN  CHECKS 

A  checking  procedure  is  usually  built  into  the  design  process  but  there  is  a 
trend  towards  making  this  more  formal  and  more  independent  of  the  original 
designer.    Checklists  are  often  used  to  make  this  procedure  more  systematic  and 
comprehensive,  and  a  good  example  of  such  a  checklist  is  given  in  the  booklet 
"Flowsheeting  for  Safety"  published  by  the  Institution  of  Chemical  Engineers 
(Wells  et  al.,  1977).    This  takes  the  form  of  a  series  of  questions  addressed  to 
different  aspects  of  the  plant: 

•  basic  process  considerations 
»  mechanical  specifications 

•  deviations  from  normal  operation 

•  reliability 

•  containment  integrity 

•  layout 
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•  personnel  protection 

•  documentation 

The  questions  are  simply  used  as  a  prompt  to  the  reviewing  engineer,  and  have 
to  be  adapted  to  suit  the  process  under  scrutiny. 

For  the  purposes  of  this  discussion,  we  should  consider  under  this  heading  the 
widely-used  code  of  practice,  API  RP  14C  -  Recommended  Practice  for  the  Analysis, 
Design,  Installation  and  Testing  of  Basic  Surface  Safety  Systems  for  Offshore 
Production  Platform  (American  Petroleum  Institute,  1978).    This  RP  is  widely 
used  in  the  offshore  industry  as  setting  the  minimum  standards  for  provision  of 
safety  devices  on  potentially  hazardous  equipment  and  therefore  the  document  is 
often  referred  to  in  contract  specifications  and  even  in  government  regulations. 

The  RP  sets  out  both  general  principles  and  specific  design  guidelines.  The 
prime  example  of  the  former  is  the  principle  that,  in  addition  to  normal  process 
control  loops,  there  should  be  two  independent  protective  systems  to  guard 
against  each  hazardous  process  condition.    The  more  specific  guidelines,  however, 
provide  direct  illustrations  of  protective  devices  that  are  recommended  for 
particular  typical  process  units. 

The  strong  points  of  RP  14C  are  that: 

•  it  is  internationally  recognized  and  design  engineers  are  familiar  with  it; 

•  it  specifies  standard  documentation  for  the  safety  analysis  so  that  the 
adequacy  of  the  work  can  be  checked; 

•  it  helps  in  producing  the  first  draft  design; 

•  it  ensures  that  some  measure  of  diversity  and  redundancy  will  be  included  in 
the  design  of  the  main  typical  process  units. 

However,  as  a  method  of  analysis,  it  has  important  limitations  in  that: 

•  the  general  principles  permit  considerable  variation  in  interpretation  by 
individual  design  contractors; 

•  the  specific  guidelines  are  only  given  for  a  limited  range  of  equipment  items 
whereas  on  large  and  complex  platforms  it  is  known  that  many  other  systems 
may  give  rise  to  hazards; 

•  the  design  engineering  details  in  14C  are  now  considerably  out-of-date 
because  of  advances  such  as  programmable  logic  controls,  automatic  ESD 
systems,  depressurization  systems,  and  so  on; 

•  the  analysis  part  of  14C  is  relatively  crude  compared  with  modern  techniques 
now  actively  applied  in  the  North  Sea,  such  as  HAZOP  and  Reliability  (Fault 
Tree)  Analysis.    In  particular,  it  does  not  take  account  of  the  reliability 

of  specific  protective  systems,  nor  of  the  likelihood  of  a  demand  being  placed 
on  such  systems.    This  omission  leads  to  a  potential  misallocation  of  resources 
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Design  checks  of  these  types  are  concerned  with  compliance  with  current  good 
design  practice  and  therefore  cover  a  wide  variety  of  types  of  hazard,  ranging 
from  faults  that  interrupt  production  (but  have  little  risk  to  life)  to  major 
disasters.    However,  they  do  not  provide  any  quantitative  measure  of  effectiveness 
of  the  proposed  improvements  in  reducing  risk.    This  is  particularly  important 
when  complex  systems  have  to  be  considered,  or  when  the  hazard  potential  of  a 
plant  item  is  so  large  that  special  high  integrity  engineering  has  to  be  employed. 

2.4    HAZARD  AND  OPERABILITY  STUDIES  (HAZOP)  AND  FAILURE  MODES  AND  EFFECTS 
ANALYSIS  (FEMAT 

These  two  techniques  are  considered  together  here  because  they  have  very  similar 
objectives  and  methods  of  approach.    The  purpose  is  to  identify  systematically 
all  of  the  possible  ways  in  which  the  system  could  fail,  and  to  evaluate  these 
and  formulate  recommendations  for  action. 

FEMA  is  the  simpler  of  the  two  techniques.    The  procedure  is  to  take  each 
component  in  turn,  list  all  the  possible  failure  modes  and  consider  the  consequences 
of  each.    The  results  are  recorded  in  a  standard  format  in  which  recommendations 
can  be  included.    The  weakness  of  this  type  of  analysis  that  there  is  no  actual 
method  for  finding  the  failure  modes  or  their  effects:    the  engineer  is  expected 
to  do  this  from  first  principles  or  past  experience,  and  the  only  discipline 
imposed  on  him  or  her  is  that  of  the  reporting  format  itself. 

HAZOP  overcomes  the  main  difficulty  by  introducing  a  systematic  method  for 
identifying  failure  modes.    This  involves  scrutiny  of  a  large  number  of  possible 
deviations  from  normal  operation  conditions,  which  are  generated  by  applying 
guide  words  such  as  MORE,  LESS,  REVERSE  etc.,  to  each  of  the  parameters  describing 
conditions  in  each  component  or  pipeline  in  the  plant. 

Often  there  is  no  realistic  cause,  or  the  effects  are  unimportant;  such  cases 
can  be  quickly  passed  over.    Sometimes  the  causes  are  credible  and  the  effects 
significant  either  for  the  correct  functioning  of  the  process  or  for  safety 
or  both.    In  such  cases,  there  may  be  a  need  for  design  changes  to  eliminate 
the  identifed  cause,  or  alternatively  a  more  detailed  reliability  study  may  be 
recommended,  to  determine  whether  the  probability  of  the  event  is  high  enough 
to  justify  action.    The  team  may  subjectively  assess  the  consequences  and 
probability  as  "large"  or  "small"  and  rank  the  actions  accordingly. 

HAZOP  as  practiced  to  date  is  only  applicable  to  process  hazards  but  there  is 
no  doubt  that  it  could  be  developed  to  apply  to  structures,  management  procedures 
and  many  other  systems  that  relate  to  safety.    This  would,  however,  probably 
involve  the  use  of  new  guide  words. 

The  technique  is  rather  laborious  but  the  efficiency  of  the  study  team  increases 
rapidly  with  experience,  as  trivial  cases  can  be  more  quickly  identified  and 
disposed  of.    It  is  unwise  however,  to  take  too  many  short-cuts  because  this 
undermines  the  main  advantage  of  the  method,  which  is  its  thoroughness  and 
comprehensiveness  in  failure  case  identification. 
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Both  HAZOP  and  FMEA  are  limited  in  that  they  do  not  provide  a  technique  for 
discrimination  between  alternative  options  for  improvement;  this  is  still  left 
to  the  team's  collective  judgment. 

For  further  reading,  see  the  booklet  "A  Guide  to  Hazard  and  Operability  Studies" 
published  by  the  Chemical  Industries  Association  (1977)  and  Roach  and  Less 

(1981). 

2.5    RELIABILITY  ANALYSIS  OF  COMPONENTS  AND  SYSTEMS/FAULT  TREE  ANALYSIS 

There  are  many  techniques  available  for  special  purposes  under  the  general 
heading  of  reliability.    The  simplest  type  of  analysis  is  one  done  for  a  single 
equipment  item  within  the  system.    This  may  be  required  because  it  is  clear 
from  the  start  that  a  particular  piece  of  equipment  will  be  critical  for  the 
safety  or  availability  of  the  whole  system,  or  because  an  estimate  of  the 
failure  rate  of  the  equipment  is  required  as  part  of  a  risk  assessment. 

2.5.1  Reliability  Analysis  -  Single  Equipment  Items 

Assuming  that  the  equipment  item  is  not  a  complex  one  (for  which  a  system 
reliability  analysis  of  its  components  is  appropriate  -  see  2.5.2  below),  this 
work  has  to  be  done  by  a  statistical  analysis  of  the  failure  rates  of  similar 
equipment  from  past  experience.    Frequently,  the  only  statistics  available  are 
overall  average  failures,  which  are  affected  by  the  actual  service  and  mainte- 
nance conditions.    In  order  to  relate  such  data  to  the  particular  equipment 
under  study,  allowance  must  be  made  for  any  changes  in  these  conditions. 
Another  problem,  often  encountered  in  the  offshore  industry,  is  that  adequate 
statistics  for  comparable  equipment  items  do  not  exist.    In  this  case,  an 
inference  has  to  be  made  based  on  the  nearest  equivalent  equipment  items,  with 
adjustments  based  on  engineering  judgement  to  allow  for  any  different  factors 
that  may  have  an  influence  on  the  failure  rate. 

A  more  detailed  analysis  of  the  failure  rate  may  be  required  for  the  design  of 
maintenance  schedules.    This  involves  determination  of  the  time-distribution  of 
failures  in  the  equipment  in  the  absence  of  maintenance  actions.  Various 
distribution  functions  can  be  defined  of  which  two  of  the  most  important  are 
the  reliability  function  R(t)  (i.e.,  probability  of  survival  at  time  t)  and  the 
hazard  rate  function  Z(t)  (i.e.,  the  instantaneous  failure  rate  at  time  t). 
These  functions  tend  to  have  characteristics  forms,  for  example  the  "bathtub 
curve"  form  for  Z(t)  which  features  high  hazard  rates  at  early  times,  due  to 
defective  manufacture  or  installation,  and  again  at  later  times  due  to  wear  out. 

For  safety  studies  and  risk  assessment,  the  long-term  average  failure  rate  is 
of  more  interest,  and  this  can  be  assumed  to  be  constant  with  time  (although 
random  in  occurrence)  once  the  maintenance  and  repair  cycle  is  established. 

2.5.2  Reliability  Analyses  -  Systems 

Reliability  analyses  become  particularly  important  to  the  designer  where  complex 
systems  are  involved.    These  systems  may  arise  because  of  inherent  complexity  in 
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the  process  as  a  whole,  or  because  particular  units  require  instrumentation  for 
process  control  or  for  safety.    The  basic  technique  for  analyzing  these  cases 
is  Fault  Tree  Analysis.    In  this  approach,  the  failure  modes  of  interest  must 
first  be  defined,  for  example  by  use  of  Hazard  and  Operability  Study.  These 
defined  failure  modes  are  known  as  "Top  Events"  and  for  safety  analyses  these 
would  often  be  loss-of-containment  cases,  such  as: 

•  overpressure  of  vessel  leading  to  rupture 

•  release  of  flammable  liquid  through  flare  systems 

•  failure  of  firewater  deluge  when  demanded 

•  failure  of  emergency  power  generators  when  demanded 

For  each  failure  mode,  the  analyst  must  then  identify  all  those  events  or 
combinations  of  events  that  could  lead  directly  to  the  failure.    The  precise 
logical  relationship  between  cause  and  effect  is  expressed  by  AND  or  OR  gates 
and  is  usually  presented  in  diagrammatic  form. 

The  immediate  causes  of  the  top  event  have  their  own  contributory  causes,  and 
these  can  be  presented  in  a  similar  way,  so  that  a  complete  Fault  Tree  is  built 
up.    This  process  ceases  when  all  of  the  causative  factors  at  the  bottom  of  the 
tree  are  of  a  simple  kind  for  which  frequencies  of  occurence  or  probabilities 
can  be  estimated.    Fault  Trees  include  operator  action  both  as  an  initiating 
cause  and  as  corrective  actions.    Figure  3  shows  a  complete  fault  tree,  taken 
from  a  recent  offshore  safety  analysis.    The  diagram  is  reduced  in  detail  and 
in  size  so  that  the  whole  tree  (originally  drawn  on  14  sheets)  can  be  displayed 
on  one  page  to  illustrate  the  degree  of  complexity  in  which  the  system  has  been 
analyzed. 

This  process  of  Fault  Tree  synthesis  is  well  described  by  Barlow  and  Lambert 
(1975)  who  also  give  details  of  a  structured  method  for  assisting  the  analyst 
in  finding  causes  throughout  the  tree. 

The  quantitative  analysis  of  a  fault  tree  is  a  separate  activity.    The  procedure 
involves  first  a  logical  decomposition  of  the  tree,  which  re-expresses  it  in  a 
standard  form  in  which  a  single  OR  gate  connects  the  top  event  to  a  number  of 
sets  of  bottom  events  grouped  under  AND  gates.    These  sets  are  called  cut  sets 
and  the  frequency  of  occurrence  of  each  cut  set  can  be  easily  calculated.  Each 
cut  set  represents  one  particular  failure  mode.    In  this  way,  the  causes  that 
contribute  most  to  the  occurrence  of  the  top  event  can  be  found.  Analytical 
complications  arise  when  the  bottom  events  are  not  independent  (e.g.  mutually 
exclusive  events  or  events  connected  by  common-mode  failure  effects)  and  this 
is  why  a  specialist  will  usually  be  required  for  the  analysis  of  Fault  Trees. 

For  plant  availability  studies,  repair  times  are  needed  as  well  as  failure 
rates,  and  the  top  event  (plant  outage)  is  expressed  in  probability  units  (e.g., 
plant  out  of  operation  5  percent  of  the  time).    For  safety  studies,  the  top 
event  is  expressed  in  frequency  form  (e.g.,  loss  of  containment  once  per  105 
years). 


Ill 


i'-ii'j 

n 


J— -i i  o- 


♦     •     ♦  ♦ 

rni 


r— I— ,  ...... 


•  S  S  4 


•  «  «  ♦  ♦  i      rv~sn  iii  ♦  •  •  ♦ 


Trn 


4  •  ♦  . 


»  •  • «  r** 


A 

jnri  inn 


• «  •  • 


TTi 


key: 

• 

failure  events 

0 

'OR '  gates 

& 

'And'  gates 

rrTTTrrn 


i  o 


4~;rrT 


4TTi 


TTT 


51 


Figure  3.    Schematic  version  of  a  typical  Fault  Tree  from  an  actual  offshore 
safety  study  -  illustrating  the  degree  of  sophistication  in 
system  description  that  is  feasible  in  this  type  of  analysis 
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To  give  examples  of  the  application  of  Fault  Tree  analysis  offshore,  we  give 

below  a  list  of  failure  cases  analyzed  in  this  way  during  a  recent  major 
platform  safety  study  for  a  North  Sea  oil  company: 

1.  rupture  of  first  stage  separator 

2.  liquid  carry-over  to  first  stage  compressor 

3.  backflow  from  gas  re-injection  well 

4.  liquid  in  fuel  gas  to  turbine 

5.  liquid  carry-over  to  HP  flare 

6.  large  unignited  gas  release  via  HP  flare 

7.  backflow  from  water  injection  well 

8.  main  electrical  power  failure 

9.  failure  of  gas  detection 

10.  failure  of  ESD  valve  to  close  when  demanded 

11.  failure  of  firewater  deluge  system 

12.  failure  of  Hal  on  system  to  operate  on  demand 

13.  failure  of  free-fall  lifeboat  launching  system,  when  demanded 


These  analyses  proved  extremely  effective  in  developing  a  good  understanding  of 
failure  modes  and  their  likelihood  and  were  used  to  identify  and  evaluate  design 
improvements.    It  is  of  interest  to  note  that,  to  the  surprise  of  some,  these 
analyses  were  well  received  by  the  original  designers  -  who  recognized  that  the 
system  reliability  approach  was  contributing  something  new  and  relevant  which 
could  not  be  achieved  by  engineering  judgement  alone. 

2.6    EVENT  TREE  ANALYSIS 

The  Event  Tree  is  another  form  of  logic  diagram.    It  is  the  reverse  of  a  Fault 
Tree  in  that  one  starts  with  an  initiating  event  and  explores  all  possible 
outcome  that  stem  from  it.    Again,  each  outcome  has  further  outcomes  and  all  of 
these  can  be  related  by  decision  gates  (see  Figure  4  for  an  example).    For  each 
gate,  the  conditional  probabilities  attaching  to  each  alternative  branch  must 
be  estimated.    From  these,  the  probabilities  of  the  final  outcomes  can  be 
calculated. 

Event  Trees  are  not  usually  employed  in  the  analysis  of  system  failure,  but  are 
valuable  in  examining  the  consequences  of  failure,  because  these  are  greatly 
influenced  by  factors  like  operator  intervention  and  weather  conditions,  which 
can  be  expressed  most  readily  in  event  tree  form. 
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Figure  4.    Typical  event  tree  for  hydrocarbon  leakage,  with  deluge 
protector 
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Cause-Consequence  Diagrams  are  sometimes  referred  to  in  the  literature.  These 
are  the  most  flexible  type  of  logic  diagram,  in  that  they  combine  the  features 
of  both  Fault  Trees  and  Event  Trees,  and  they  also  provide  for  a  much  wider 
choice  of  logic  gates.    The  analysis  starts  from  a  "critical  event"  whose  causes 
are  traced  by  Fault  Tree  methods  and  whose  consequences  are  traced  in  an  Event 
Tree.    A  "critical  event"  could  be  a  process  deviation  which  is  potentially 
hazardous  but  not  necessarily  so.    The  gates  available  allow  for  externally- 
applied  conditions,  whose  probability  must  be  given,  and  for  time  delays.  The 
latter  are  particularly  useful  for  the  analysis  of  start-up  and  shut-down  and 
for  batch  processes. 

All  logic  diagram  analyses  are  liable  to  error  through: 

•  ommission  of  branches 

•  uncertainty  of  probability  and  frequency  numbers 

•  neglect  of  i nterdependencies  such  as  common  mode  failures. 


Those  faults  are,  however,  not  fundamental  to  the  technique,  but  more  a  question 
of  proper  application.    In  particular,  it  would  be  desirable  for  more  research 
to  be  done  on  failure  rates  for  equipment  items  relevant  to  the  offshore 
industry,  with  more  detailed  recording  of  failure  modes  and  of  the  number 
equipment  items  contributing  to  the  survey.    There  is  also  a  need,  arguably 
more  important  still,  to  evaluate  the  reliability  of  the  human  operator  and  the 
factors  that  affect  his  or  her  performance  both  in  normal  operation  and  during 
emergencies. 

2.7    STRUCTURAL  RELIABILITY  ANALYSIS 

In  a  complete  examination  of  risk  on  an  offshore  installation,  possible  structural 
failure  must  be  included.    These  events  include: 

•  failures  caused  by  structural  weakness  or  inadequacy  relative  to  normal  loads, 
and 

•  failures  caused  by  abnormal  loads,  or 

•  combinations  of  the  two. 


For  convenience,  all  kinds  of  external  impact  events  are  often  included  under 
this  heading,  so  that  in  a  recent  offshore  risk  analysis,  the  "structural" 
events  considered  were  as  follows: 
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Structural  Failures  (under  normal  loads): 

•  concrete  base  structure  cell  structures 

•  concrete  base  structure  drilling  shafts 
®  concrete  base  structure  utility  shaft 

•  concrete  base  structure  seawater  service  shaft 

•  module  support  frame 

•  module  structures 

•  helideck 

•  foundation 

Falling  objects,  etc. 

•  dropped  crane  loads 

•  collapse  of  crane  boom 

»  collapse  of  crane  pedestal /main  bearing 

•  dropped  derrick  load 

•  collapse  of  derrick 

»  collapse  of  flare  boom 

External  impacts 

•  passing  vessel  collision 

•  tanker  col  1 i sion 

•  supply  vessel  collision 

•  fishing  vessel  collision 
a  hel icopter  crash 

•  f lot el  impact 

•  crane  barges  and  other  construction  vessels  impact 
Extreme  loads 

•  excessive  weight 

•  extreme  wind  and  wave 

•  extreme  seismic  loading 


From  this  list  of  events,  it  can  be  seen  that  a  wide  range  of  different  analy- 
tical techniques  have  to  be  brought  to  bear  on  the  question,  in  order  to  produce 
results  which  are  expressed  in  the  same  final  form,  i.e.,  probabilities  and 
consequences. 

For  many  of  these  cases,  historical  data  on  event  frequencies  exist.    This  is 
particularly  true  of  crane  and  derrick  failures  and  external  impacts.  These 
data  may  have  to  be  normalized  on  a  suitable  basis,  such  as: 

"per  helicopter  movement" 
"per  supply  vessel  visit" 
"per  crane  load" 
etc. 
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This  is  much  more  realistic  than  "per  platform  year."    The  use  of  data  in  this 
form  requires  a  detailed  analysis  of  the  frequency  of  transport  operations  as 
the  field  development  proceeds  through  one  phase  to  the  next.    (For  example, 
dropped  objects  are  much  more  likely  while  drilling  is  still  in  progress.) 

The  rigorous  analysis  of  the  consequences  of  impact  events  requires  sophisticated 
nonlinear  dynamic  structural  models  but  the  use  of  these  can  only  be  justified 
in  very  critical  cases.    Usually,  a  more  crude  analysis  based  on  simple  energy 
concepts  or  "punching  shear"  will  suffice  for  risk  analysis  purposes. 

For  several  of  the  structural  events,  notably  those  involving  environmental 
loads,  an  analysis  of  the  ultimate  load-bearing  capacity  is  required  in  order 
to  arrive  at  an  estimate  of  failure  frequency.    For  example,  in  seismic  design, 
North  Sea  platforms  are  designed  on  the  basis  of  100-year  earthquake  return 
periods  using  linear  elastic  methods,  with  substantial  safety  factors. 
Increasingly,  however,  the  1000-year  earthquakes  are  being  used  for  design, 
with  reduced  safety  factors  but  still  on  a  linear  elastic  basis.    It  is  no  easy 
matter  to  estimate  from  this  information  the  expected  failure  frequency,  because 
the  loading  is  transient  and  the  structural  behavior  nonlinear  in  the  region  of 
interest.    This  has,  however,  been  done  approximately,  using  a  static  nonlinear 
analysis  to  identify  likely  structural  failure  modes  and,  from  extrapolation  of 
the  ground  acceleration/return  period  curve,  the  expected  frequency  of  various 
degrees  of  collapse. 

This  type  of  analysis  is  of  fundamental  importance  because  it  gives  a  measure 
of  the  actual  level  of  safety  implicit  in  the  codes  of  practice  for  structural 
design.    This  makes  it  possible  to  compare,  say,  structural  risks  with  blowout 
risks,  and  thereby  establish  an  order  of  priorities. 

2.8    OVERALL  RISK  ANALYSIS 

In  the  offshore  industry,  risk  analysis  is  used  quite  frequently  for  evaluating 
specific  design  options.    A  good  example  of  this  is  its  use  in  determining  the 
effectiveness  of  subsea  remote  operable  block  valves  in  major  pipelines,  to 
protect  manned  platforms  against  risk  of  fire-induced  structural  collapse  if  a 
pipeline  riser  were  to  fail.    Risk  analysis  if  being  used  to  consider  the  need 
for  such  valves  depending  on  the  riser  configuration  and  risk  of  dropped  object 
or  anchor  impact  on  the  pipe. 

The  reason  why  this  type  of  problem  is  well  suited  to  risk  analysis  is  that  a 
great  number  of  possible  remedial  measures  may  be  proposed  for  improvement  of 
the  risk,  some  of  which  reduce  the  consequences  of  failure  while  others  reduce 
the  probability.  Thus,  the  relative  effectiveness  of  such  measures  cannot  be 
directly  compared:  only  their  effect  on  risk  (which  combines  probability  and 
consequences)  can  be  used  for  comparison. 

A  second  application  of  risk  analysis  is  in  the  development  of  a  comprehensive 
picture  of  all  the  risk  to  which  an  installation  may  be  subjected.    This  type 
of  study  naturally  involves  a  considerable  volume  of  effort  -  4500  man-hours 
have  been  expended  on  one  very  large  platform  in  this  type  of  work.    The  purpose 
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is  to  develop  a  picture  of  the  priority  areas  for  future  safety  developments 
as  well  as  to  contribute  to  the  detailed  design  of  an  individual  platform. 

In  this  type  of  application,  fundamental  principles  for  the  application  of  risk 
analysis  were  soon  established  in  a  form  that  has  not  greatly  changed  since. 
These  principle  are: 

1.  that  the  residual  risk  should  represent  the  total  risk  caused  by  all  possible 
accidents  on  the  installation, 

2.  that  the  spectrum  of  all  possible  accidents  should  be  represented  by  a 
finite  set  whose  consequences  and  expected  frequencies  should  be  estimated, 

3.  that  the  results  should  be  so  presented  as  to  assist  the  designer  to  improve 
the  safety  of  the  installation,  and 

4.  that  criteria  should  be  established  whereby  the  results  may  be  judged. 

Although  individual  studies  vary  in  content  and  style,  they  nearly  all  conform 
to  a  general  logical  structure  illustrated  in  figure  5.    The  first  step  is  to 
define  a  set  of  failure  cases  based  on  an  engineering  appraisal  of  the  platform. 
Since  the  final  objective  is  to  evaluate  the  total  risk  impact  of  the  installation, 
this  failure  case  list  must  be  checked  to  ensure  that  it  is  truly  representative 
of  the  spectrum  of  events  that  could  actually  occur  -  that  is,  there  should  be 
no  gaps  and  no  overlaps  between  cases.    For  a  large  platform,  some  200  to  400 
failure  cases  may  be  defined. 

FREQUENCY  ESTIMATION 

The  frequency  estimation  step  in  figure  5  is  closely  allied  to  failure  case 
identification  since  in  practice  each  case  stands  for  a  range  of  actual  cases 
on  the  real  plant,  whose  total  probability  must  be  retained  in  the  analysis. 

The  failure  probabilities  are  estimated  from  historical  failure  rate  data, 
statistics  on  extreme  events  such  as  earthquake  and  ship  collisions  and  ,  where 
appropriate,  from  detailed  examination  of  the  failure  case  by  Fault  Tree  Analysis. 

Failure  rate  data  in  the  offshore  oil  and  gas  industry  are  sparse  and 
approximations  are  necessary  to  complete  most  analyses.    Probabilities  also 
have  to  be  estimated  for  the  case  of  the  release  igniting  immediately,  rather 
than  forming  a  dispersed  cloud,  and  for  the  likelihood  that  each  potential 
ignition  source  would  actually  cause  ignition.    At  present,  accident  case 
histories  are  the  main  source  of  data  on  ignition  probabilities,  but  much  more 
work  is  required  on  this  aspect  since  it  can  have  a  critical  effect  on  the 
final  risk  estimates. 

CONSEQUENCE  ANALYSIS 

The  consequence  models  have  great  variety,  because  of  the  different  conditions 
under  which  materials  may  be  handled  in  this  industry.    Enormous  research  and 
development  effort  is  being  expended  on  certain  aspects  of  these  models,  such  as: 
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Figure  5.    Overall  flow  diagram  of  risk  analysis 
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•  dispersion  of  dense  gas/aerosol  clouds 

•  two-phase  discharge  behavior  in  hydrocarbons 

•  initial  mixing  of  high-pressure  release 

•  combustion  of  hydrocarbons  in  realistic  circumstances  of  confinement  and 
high  turbulence. 

For  risk  analysis  purposes,  the  consequence  models  most  commonly  needed  are  as 
fol lows: 

1.  Calculation  of  discharge  rate  using  the  relevant  formulae  for  liquid,  gaseous 
or  two-phase  discharge. 

2.  Dispersion  of  the  vapor  cloud  in  the  atmosphere  using  models  which  take 
account  of  density  and  momentum  effects  as  appropriate.    Note  that  offshore 
oil  and  gas  hazard  analysis  puts  special  demands  on  the  models  that  are 
used  for  this  purpose,  because  of  the  massive  scale  of  the  releases  (Cox, 
1980). 

3.  Modeling  of  the  combustion  of  the  dispersed  cloud,  including  both  confined 
and  unconfined  vapor  cloud  explosions  (of  which  the  former  are  much  the 
most  important  offshore).    Jet  flames,  pool  fires  and  BLEVEs  must  also  be 
considered. 

Collections  of  such  mathematical  models  are  given  in  the  COVO  report  (Rijnmond 
public  authority,  1982)  and  by  TNO  (1980).    There  is  still  a  considerable  degree 
of  controversy  about  the  best  methods  of  prediction  of  some  of  these  phenomena, 
but  advances  in  theoretical  understanding  and  in  the  experimental  data  available 
for  checking  models  have  led  to  the  emergence  of  a  fairly  consistent  consensus 
view  on  at  least  the  principal  phenomena. 

Presentation  of  Results 

The  frequency  and  consequence  analyses  generate  a  large  number  of  intermediate 
results,  each  characterizing  one  particular  scenario  or  Event  Tree  outcome. 
For  an  offshore  platform,  these  intermediate  results  typically  comprise: 

fi  -  the  estimated  frequency  of  the  event 

A-j  -  an  area  of  the  platform  experiencing  more  than  some  stated  degree  of 
damage  (e.g.,  50  percent  chance  of  fatality). 

N-j  -  number  of  fatalities 

P-j  -  amount  of  oil  spilled 

V-j  -  loss  of  platform  capital  value. 
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For  direct  comparison  with  risk  targets,  the  f-j  values  can  be  summed  for  Nj , 
P-j ,  or  V-j  values  within  defined  ranges.    Some  oil  companies  have  developed  risk 
targets  or  criteria  in  this  form. 

These  results  can  also  be  presented  in  graphical  form  as  an  "F-N  curve"  (i.e. 
frequency  versus  consequence).    An  example,    taken  from  an  actual  North  Sea 
platform  analysis,  is  given  in  figure  6. 

Both  of  the  above  forms  give  information  about  the  size  and  likelihood  of 
accidents  of  different  magnitudes.    They  contain  no  information,  however,  about 
the  distribution  of  risk  as  a  function  of  location  on  the  platform.  For 
fatalities,  this  can  be  achieved  by  summing,  for  each  location,  the  f-j  values 
for  all  scenarios  for  which  the  zone  A-j  includes  that  point.    This  is  then 
repeated  for  all  locations  of  interest. 

These  results  are  difficult  to  present  in  a  pictorial  form,  because  of  the  three- 
dimensional  nature  of  the  platform,  so  a  tabular  form  is  normally  used  instead. 

Critical  events  which  contribute  the  most  to  such  indices  of  risk  are  then 
identified.    For  each  of  the  most  significant  events,  an  indication  can  be 
given  of  whether  it  is  the  probability  or  the  consequence  (or  both)  that  causes 
it  to  be  significant;  this  information  is  useful  in  suggesting  possible  improve- 
ments. 

Naturally,  the  question  or  risk  acceptability  criteria  arises.    This  is  not  a 
matter  on  which  there  will  ever  be  total  agreement,  but  it  has  been  found  that 
it  is  useful  to  have  some  quantitative  criteria  or  targets  so  that  risk  (actual 
or  predicted)  can  be  put  in  some  kind  of  context.    With  experience,  ones  quickly 
acquires  a  feeling  for  the  magnitudes  of  "high"  and  "low"  risks.  However, 
these  criteria  should  not  be  interpreted  rigidly  -  neither  the  criteria  nor  the 
methods  of  risk  analysis  are  accurate  enough  for  that. 

Criteria  or  targets  for  risk  have  been  developed  by  oil  companies,  by  the 
nuclear  industry  and  by  government  and  a  comparison  of  some  of  these  for  multiple- 
fatality  accidents  (drawn  in  the  F-N  plane)  is  shown  in  figure  7.    In  addition, 
risks  to  individuals  may  be  compared  against  the  general  observable  background 
of  risk: 

Type  of  Risk  Frequency  Per  Million  Years  Source 

Overall  mortality  11000  USA,  UK,  France 


All  accidents 


460 


Belgium,  Netherlands 
ditto 


Occupational : 

Chemical  industry 

General  manufacturing 

Fishing 

Coal  mining 

Construction 

UK  offshore 


25 
20 
175 
200 
335 
1000 


Burgoyne  (1980) 


Lees  (1980) 


ditto 
ditto 
ditto 
ditto 
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Figure  6.    F-N  curve  for  fatalities  -  offshore  platform 
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2.9  AUDITS 


Various  types  of  engineering  audits  may  be  used  during  the  construction, 
commissioning  and  operational  phases  of  the  development. 

CONSTRUCTION  AUDIT 

Whereas  certain  inspections  have  to  be  made  during  construction  to  comply  with 
legal  or  insurance  requirements,  some  companies  carry  out  an  audit  of  construc- 
tion procedures  and  activities  for  internal  use.    This  is  done  to  ensure  that 
the  installation,  as  built,  conforms  to  the  original  specifications  and  codes 
of  practice  and  with  recommendations  arising  from  eariler  safety  studies. 

The  audit  is  usually  done  with  the  aid  of  a  checklist  or  questionnaire.  This 
will  cover  such  matters  as: 

•  procedures  for  quality  control 

•  qualifications  of  personnel  (welders,  inspectors,  etc.) 

•  procedures  for  implementing  late  changes  and  rectification 

•  material  control 

•  non-destructive  testing 

•  equipment  and  material  vendor's  quality  control. 

The  scope  of  the  audit  will  include  civil  works,  plant,  and  instrumentation.  It 
will  not  only  involve  spot  checks  on  site  but  can  also  look  at  the  dependability 
(or  reliability)  of  the  procedures  or  systems  in  use. 

PRE-COMMISSIONING  CHECK 

Most  companies  carry  out  a  brief  but  comprehensive  check  just  prior  to  initial 
start-up.    Often,  this  is  not  very  formal;  it  is  concerned  mainly  with  ensuring 
that  all  previously  ordered  jobs  have  actually  been  completed  on  site.  A 
checklist  procedure  may,  again,  be  used,  but  the  main  element  is  a  detailed 
tour  of  the  plant  itself. 

OPERATIONAL  PHASE  -  SAFETY  AUDITS 

Once  a  plant  enters  operation,  hardware  and  procedures  will  start  to  change 
from  those  originally  established  by  the  commissioning  team.    Usually,  there 
are  good  reasons  for  this:    the  operators  may  find  simpler  or  more  economic 
procedures  and  the  operational  requirements  themselves  may  change.    However,  it 
is  also  quite  possible  that  safety  standards  fall  off  with  time  because  the 
designer's  original  intentions  and  concerns  have  been  forgotten  and  experience 
of  satisfactory  operation  leads  to  overconf idence  and  a  false  sense  of  security. 

For  these  reasons,  occasional  safety  audits  are  much  used  in  operating  companies. 
These,  however,  may  take  many  forms,  as  is  well  illustrated  in  the  booklet 
"Safety  Audits"  (Chemical  Industry  Safety  and  Health  Council,  1973).  Audits 
may  vary  from  a  half-day  tour  by  the  manager  to  a  review  lasting  several  weeks, 
carried  out  by  a  team  of  engineers  of  different    disciplines  and  independent 
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of  every  day  plant  mangement.    For  the  most  penetrating  audit,  the  study  should 
not  be  announced  in  advance. 

Questionnaires  and  checklists  are  often  employed  and  several  are  given  in  the 
booklet  mentioned  above.    These,  however,  vary  considerably  in  quality  and  care 
must  be  taken  with  the  wording  of  questions.    Factual  questions  whose  answers 
can  be  checked  are  much  preferred  over  vague  ones  that  may  permit  a  complacent 
answer. 

Safety  audits  are  useful  mainly  for  keeping  up  the  standard  of  occupational 
safety  (i.e.,  preventing  relatively  minor  accidents)  and  are  only  relevant  to 
major  disasters  insofar  as  they  reduce  their  probability.    It  may  well  be  that 
the  time  has  come  for  extending  the  safety  audit  concept  so  that  its  questioning 
is  also  focussed  on  the  equipment  items  that  give  rise  to  major  hazards.  The 
structure  of  this  part  of  the  audit  could  then  be  cast  in  probability/consequence 
terms  in  the  manner  of  a  risk  assessment  (but  without  quantification).  This 
would  impose  a  consistent  and  logical  thought  process  on  the  audit  team,  in 
which  failure  modes  are  considered  with  regard  to  possible  causes  on  the  one 
hand  and  to  the  containment  of  their  consequences  on  the  other. 
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3.0    EXPERIENCE  OF  PRACTICAL  APPLICATIONS  IN  THE  NORTH  SEA 


A  summary  is  given  below  of  the  extent  of  practical  applications  of  the  techniques 
discussed  above  in  the  offshore  North  Sea  area,  so  far  as  the  authors  are  aware. 

FULL  RISK  ANALYSES 

At  least  four  such  studies  have  been  completed,  to  the  authors'  knowledge,  all 
commissioned  by  industry  and  all  for  internal  use  (i.e.,  not  prepared  for 
submission  to  government).    The  purposes  of  these  studies  were  all  the  same  - 
to  obtain  an  overview  of  the  risk  picture  and  to  use  it  both  to  enhance  safety 
on  the  project  itself  and  to  learn  something  useful  for  the  next  project. 
Subjects  of  study  included  major  and  medium-sized  production  platforms  and  a 
platform/pipeline  system. 

CONCEPT  SAFETY  EVALUATIONS 

About  a  dozen  of  these  rather  specific  studies  have  been  completed  to  date,  all 
commissioned  by  industry  but  in  many  cases  primarily  for  submission  to  the 
Norwegian  Petroleum  Directorate.    Subjects  have  included  major  integrated 
drilling/production/quarters  platforms  with  steel  and  concrete  structures, 
small  riser  platforms,  a  major  water  injection,  drilling  and  quarters  platform, 
advanced  deep  water  concepts  and  semisubmersibles. 

It  is  generally  agreed  that  the  CSE  methodology  is  effective  in  injecting  a 
strong  safety  influence  at  the  formative  stage  of  a  project,  and  both  industry 
and  government  agree  that  it  provides  a  suitable  basis  for  design  which  is 
neither  too  strict  nor  too  lax.    There  is  no  doubt  that  it  has  caused  designers 
to  take  account  of  both  the  probabilities  and  consequences  of  events  in  a 
systematic  way  and  there  is  every  reason  to  expect  that  the  resulting  designs 
will,  indeed,  have  great  reserves  of  "survival  capability,"  as  was  the  main 
original  intention. 

HAZOP 

Although  at  first  resisted,  on  the  (spurious)  grounds  that  it  added  nothing  to 
the  existing  practice  of  API  RP  14C,  HAZOP  has  recently  become  very  widely  used 
in  the  North  Sea  Offshore  industry,  in  all  national  sectors.    Process  departments 
appreciate  HAZOP  for  its  ability  to  stimulate  creative  thought  and  for  its 
broad  range  of  applicability,  relative  to  RP  14C  -  although  the  latter  is  easier 
to  use. 

Experience  with  HAZOP  is  that  potential  troubles  are,  indeed,  often  identified 
by  this  means.    HAZOP  teams  usually  feel  satisfied,  after  conclusion  of  the 
study,  that  the  plant  will  be  safe.    However,  care  must  be  taken  not  to  allow 
too  much  "adding  on"  of  protective  devices  without  proper  consideration  of 
their  need  and  effectiveness,  particularly  when  several  such  extras  are  considered 
together. 
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RELIABILITY  ANALYSIS 


In  the  main,  reliability  analysis  has  been  used  offshore  for  three  purposes: 

1.  To  verify,  or  contribute  to,  achievement  of  target  levels  of  reliability  of 
production.    This  has  been  done,  for  example,  for  certain  key  gas  fields  in 
the  UK  sector  where  peak  supply  is  the  main  objective  and  reliability  is 
therefore  important. 

2.  To  evaluate  frequencies  of  failure  in  complex  plant  as  part  of  a  risk 
analysis. 

3.  To  evaluate  the  effectiveness  (reliability)  of  active  protective  systems 
such  as  firewater,  gas  detection  and  so  on,  as  an  aid  to  detailed  design. 

In  general,  the  Fault  Tree  method  has  been  used  as  the  basic  approach  and, 
while  the  usual  problems  of  failure  rate  data  adequacy  have  inevitably  been 
encountered,  the  results  have  generally  been  considered  worthwhile.    This  is 
mainly  because  the  intellectual  exercise  of  comprehending  the  system  and 
analyzing  its  logic  rigorously  is  valuable  in  its  own  right  and  tends  to  suggest 
improvements  before  the  tree  has  been  quantified.    Even  the  process  of 
quantification  is  not  so  difficult  as  appears  at  first  sight,  since  data  can 
usually  be  found  for  broadly  comparable  plant  without  excessive  research  effort. 
The  main  obstacle  to  getting  the  data  is  usually  just  the  psychological  one  of 
making  a  start  on  the  problem  -  the  data  often  exist,  but  it  is  not  always 
immediately  obvious  where  to  look  for  it;  also,  work  may  have  to  be  done  to 
adapt  data  to  a  special  application. 
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4.  CONCLUSIONS 


1.  Techniques  for  analysis  of  safety  and  reliability  problems  are  established 
in  many  applications  within  the  offshore  oil  and  gas  industry  in  Europe. 

2.  Different  analytical  methods  are  available  for  the  many  and  various  safety 
problems  that  arise  in  the  offshore  industry.    It  is  rare  that  there  is  a 
choice  of  method,  provided  that  the  problem  has  been  correctly  identified 
and  formulated. 

3.  While  some  of  the  techniques  are  very  thorough  and  comprehensive,  others 

are  lacking  in  any  structure  save  for  a  predetermined  checklist.    In  general, 
the  more  sophisticated  techniques  are  gaining  steadily  broader  acceptance 
in  the  North  Sea  area. 

4.  The  techniques  of  risk  and  reliability  analysis  for  process  plant  and 
structures  for  offshore  developments  have  improved  rapidly  in  the  past  few 
years.    In  particular,  the  consequence  models  are  much  improved  and  there 
is  less  variation  between  different  models  than  was  the  case  five  year 
ago.    The  main  areas  requiring  further  effort  are  in  adapting  consequence 
models  to  typical  platform  situations  (i.e.,  high  pressure  hydrocarbon 
releases,  closely-packed  equipment  and  structures  and  confinement)  and  in 
obtaining  good  failure  data. 

5.  The  results  of  risk  analyses  are  actively  used  in  the  North  Sea  area  in  all 
national  sectors  both  in  strategic  decisions  such  as  permission  to  build  new 
platforms,  and  in  providing  detailed  information  for  improving  the  safety 

of  a  specific  platform  design. 
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MANAGEMENT  OF  OFFSHORE  RISK 


A  presentation  of  some  of  the  safety  control  elements  of  the  petroleum  activities 
as  practiced  by  the  Norwegian  Continental  Shelf. 

by 

Dr.  (dystein  Berg,  Deputy  Director 
The  Norwegian  Petroleum  Directorate  (NPD) 


In  order  to  explain  how  offshore  risks  are  managed  in  Norway,  it  is  first 
necessary  to  briefly  describe  the  development  of  the  official  formwork  concerning 
safety  regulation  and  control.    Thereafter,  I  shall  describe  more  in  detail  how 
the  various  elements  of  risk  management  are  taken  care  of  in  relation  to  major 
offshore  development  projects.    I  shall,  in  particular,  describe  these  activities 
in  relation  to  two  NPD  guidelines  for  offshore  petroleum  activities  which  are 
quite  unique  in  the  world  of  the  offshore  industry,  namely,  "Guidelines  for  the 
licensees  internal  control"  (Appendix  1)  and  "Guidelines  for  safety  evaluation 
of  platform  conceptual  design"  (Appendix  2). 

INTRODUCTION 

The  "petroleum  adventure"  in  Norway  really  started  in  1959  with  the  enormous 
gas  find  in  Gronigen  in  the  Netherlands.    It  was  well  known  that  hydrocarbons 
were  found  and  produced  on  the  other  side  of  the  Channel,  and  the  oil  industry 
deducted  that  there  might  be  reservoirs  under  the  North  Sea.    They  were  correct, 
as  evidenced  by,  for  instance,  the  important  offshore  gas  fields  on  the  British 
Continental  Shelf. 

Encouraged  by  this,  some  companies  got  the  idea  that  it  might  be  worthwhile 
looking  for  hydrocarbons  further  north,  and  towards  the  end  of  1962,  an  American 
company,  Phillips  Petroleum  Company,  approached  the  Norwegian  Government  and 
asked  for  the  sole  right  to  explore  for  and  exploit  hydrocarbons  on  the  Norwegian 
Continental  Shelf. 

The  Government  had  to  take  its  time.    There  was  no  legislation  covering  such 
activities,  no  administrative  apparatus,  and  apart  from  the  shipping  companies 
expertise  in  transporting  oil  in  tankers,  our  industry  had  hardly  any  knowledge 
of  the  various  aspects  of  oil  and  gas  exploration  and  production. 

Some  basic  questions  had  to  be  dealt  with  before  operations  could  be  allowed  to 
start,  the  first  one  being  "what  is  the  entension  of  our  Continental  Shelf?" 

In  accordance  with  the  1958  Geneva  Convention,  a  Royal  Decree  was  issued  in  May 
1963,  declaring  tht  "the  seabed  and  the  subsoil  in  the  submarine  areas  outside 
the  coast  of  the  Kingdom  of  Norway  are  subject  to  Norwegian  sovereignty  in 
respect  of  the  exploitation  and  the  exploration  of  natural  deposits,  to  such 
extent  as  the  depth  of  the  sea  permits  the  utilization  of  natural  deposits, 
irrespective  of  any  other  territorial  limits  at  sea,  but  not  beyond  the  median 
line  in  relation  to  other  states." 
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The  median  lines  were  drawn  up  in  agreement  with  the  UK  and  Denmark  in  1965, 
with  Sweden  in  1968,  and  this  clarified  the  situation  south  of  62°.    North  of 
this  parallel  there  are  still  some  important  question  marks. 

Just  a  month  after  the  1963  proclamation  stating  that  the  shelf  outside  the 
coast  of  Norway  belonged  to  the  Kingdom  of  Norway,  the  Storting  (the  Norwegian 
Parliament)  issued  a  law  relating  to  Exploration  and  Exploitation  of  Submarine 
Natural  Resources.    This  is  a  very  short  law  with  only  six  sections.    The  law, 
which  is  a  typical  framework  law,  contains  the  following  three  main  principles: 

1.  The  right  to  submarine  natural  resources  is  vested  in  the  State. 

2.  The  Government  may  give  Norwegian  or  foreign  persons,  including  institutions, 
companies,  and  other  associations,  the  right  to  explore  for  or  exploit 
natural  resources. 

3.  The  Government  may  issue  regulations  concerning  the  exploration  for  and 
exploitation  of  submarine  natural  resources. 

Obviously,  when  this  started,  there  was  a  pressing  need  for  the  regulation  of 
drilling  activities  while  similar  rules  for  the  production  could  wait.    Thus  we 
got  a  Royal  Decree  of  25  August  1967,  relating  to  Safe  Practice,  etc.,  in 
Exploration  and  Drilling  for  Submarine  Petroleum  Resources.    The  Decree  has 
later  been  revised  and  now  bears  the  date  of  3  October  1975.    The  1975  version 
was  not  substantially  different  from  the  1967  version,  but  had  some  important 
additions,  particularly  a  Chapter  IV  on  Contingencies,  which  sets  out  rather 
detailed  requirements  for  contingency  plans  for  use  in  the  event  of  accidents 
or  dangerous  situations. 

The  1975  Decree  has  in  all  121  sections.    In  addition,  it  authorizes  the  Ministry 
of  Industry  (today  transferred  to  the  Ministry  of  Labor  and  Municipal  Affairs) 
and  the  various  controlling  agencies  "to  issue  further  regulations  and  orders 
as  deemed  necessary  for  the  implementation  of  these  regulations."  This 
authorization  has  been  used  extensively,  a  subject  to  which  I  shall  revert  in  a 
moment,  and  we  are  therefore  faced  with  very  comprehensive  regulations. 

The  Decree    of  3  October  1975,  can  in  many  ways  be  regarded  as  a  framework.  It 
specifies,  for  example,  in  many  cases,  that  equipment  shall  be  of  a  kind 
involving  the  smallest  possible  risk  of  accident,  fire,  explosion  and  the  like, 
and  that  wells  shall  be  properly  secured  in  accordance  with  good  and  careful 
oil  industry  practice.    In  the  course  of  time  a  need  has  arisen  for  a  further 
specification  of  requirements,  and  detailed  supplementary  regulations  have  been 
drawn  up  or  are  in  preparation. 

The  supervision  of  compliance  with  the  1975  Decree  has  been  delegated  to  the 
following  governmental  institutions: 

•  The  Norwegian  Maritime  Directorate 

•  The  Norwegian  Petroleum  Directorate 
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The  Norwegian  Water  Resources  and  Electricity  Board 


The  Directorate  of  Public  Health 


The  Norwegian  Telecommunications  Administration 


The  Directorate  of  Civil  Aviation 


The  National  Inspectorate  of  Explosives  and  Flammables 


The  Norwegian  Directorate  of  Seaman 


It  is  the  Norwegian  Maritime  Directorate  that  is  responsible  for  the  coordination 
of  the  control  activities  from  the  different  agencies  in  relation  to  the  1975 
Decree.    These  agencies  have  on  their  side  issued  regulations  covering  their 
specific  area  of  control. 

Fixed  installations,  pipelines,  were,  etc.,  for  a  long  time  dealt  with  in  a 
manner  which  seemed  rather  unsatisfactory  with  little  or  no  written  rules. 
However,  on  9  July  1976,  we  got  a  Royal  Decree,  Safety  Rules  for  Production, 
etc.,  of  Petroleum  Resources  under  the  Seabed,  which  is  broadly  speaking, 
technical  in  nature. 

In  the  Committee  Report  upon  which  the  Decree  to  a  large  extent  is  based,  it  is 
emphasized  that  the  installations  and  equipment  used  vary  greatly  both  in  design 
and  function  and  that  the  operations  to  be  performed  are  of  many  different 
kinds.    So  are  the  accidents  that  may  occur.    Consequently  the  Committee  says: 
"It  is  not  realistic  to  foresee  a  set  of  regulations  that  can  apply  to  every 
detail."    The  regulations  therefore  concentrate  upon  "material  and  operations 
that  experience  shows  involve  special  risks  and  where  failure  may  lead  to  the 
gravest  consequences." 

Most  of  the  123  sections  of  the  1976  Decree  are  of  a  rather  general  nature  and 
great  emphasis  is  put  upon  a  regular  flow  of  information  between  the  licensee 
and  the  authorities  so  that  at  the  earliest  possible  stage  it  can  be  made  sure 
whether  technical  or  safety-related  issues  are  acceptable  or  not.    The  Norwegian 
Petroleum  Directorate  has  the  same  role  as  coordinator  for  the  control  on  fixed 
installations  as  the  Maritime  Directorate  has  on  mobile  installations.    A  number 
of  other  governmental  agencies  are  also  involved  such  as: 


The 


Norwegian  Maritime  Directorate 


The 


Norwegian  Telecommunications  Administration 


The 


Coastal  Directorate 


The 


Directorate  of  Civil  Aviation 


The 


State  Pollution  Control  Authority 


The 


Directorate  of  Public  Health 
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Even  though  the  regulatory  system  indirectly  foresees  a  certain  amount  of 
flexibility  on  behalf  of  the  authorities,  it  is  intended  that  more  detailed 
regulations  should  be  drawn  up.    The  Norwegian  Petroleum  Directorate  has  issued 
such  documents  in  most  safety  areas. 

Earlier,  I  mentioned  the  Continental  of  1963  on  which  the  1975  and  1976  Decrees 
are  based.    We  also  have  another  important  law  which  is  partly  applicable 
offshore.    That  is,  the  Act  of  4  February  1977  relating  to  Worker  Protection 
and  Working  Environment. 

The  legislation  for  the  protection  of  labor  has  traditions  in  Norway  back  to 
1892,  when  we  got  the  Act  of  Supervision  of  Factory  Work.    A  more  extensive  and 
radical  Act  was  introduced  in  1936.    Since  the  1956  Act,  Norway,  has  experienced 
an  extensive  industrial  development.    We  constantly  introduced  new  chemical 
substances  and  materials,  new  production  methods,  and  new  ways  of  organizing 
the  work.    This  development  in  many  ways  changed  the  risk  exposure  of  the 
working  places,  and  also  increased  our  knowledge  about  the  negative  effects  and 
long-term  consequences  of  this  new  high  risk  working  environment.  Besides, 
stress  developing  conditions  in  connection  with  the  organization  of  the  work, 
wage  payment  systems  and  management  handling  became  dominating  subjects. 

This  industrial  development  has  gradually  been  followed  by  a  series  of  important 
amendments  in  the  working  environment  legislation.    However,  finally  there  was 
a  need  for  a  complete  revision  and  extension  of  the  foundation  of  the  law  in 
order  to  bring  it  up  to  date  with  the  technological,  economical,  and  social 
development  which  had  taken  place.    This  resulted  in  the  Working  Environment 
Act  of  1977. 

The  main  priciples  of  the  law  of  1977  may  be  listed  in  the  nine  points  as 
follows: 

1.  The  Act  shall  secure  a  working  environment  which  gives  the  employees  full 
safety  against  harmful  physical  and  psychological  influences. 

2.  The  Act  is  intended  to  apply  for  as  many  working  situations  as  possible, 
no  matter  what  line  of  business,  and  it  includes  both  public  and  private 
enterprise. 

3.  The  working  environment  is  supposed  to  be  "fully  satisfactory." 

4.  The  working  environment  has  the  main  responsibility  for  the  implementation 
of  the  law. 

5.  The  employees  have  first  of  all  a  duty  to  show  care  and  attention  and  to 
carry  out  the  prescribed  measures  from  the  employer  of  the  Labor  Inspection/ 
The  Norwegian  Petroleum  Directorate. 

6.  The  working  place  should  be  designed  in  such  a  manner  that  the  employer  in 
general  could  employ  handicapped  persons. 

7.  The  Act  has  certain  provisions  concerning  minimum  age  of  employees. 
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8.     The  employees  shall  have  influence  in  working  environment  questions. 


9.     The  common  sanctions  have  been  strengthened. 

As  mentioned  earlier,  the  Worker  Protection  and  Worker  Environment  Act  is  only 
applicable  partly  on  the  Continental  Shelf.    The  reason  for  this  is  that  that 
the  activity  offshore  is  somewhat  special  compared  with  the  onshore  industry. 
The  Ministry  of  Labor  and  Municipal  Affairs  issued  a  Royal  Decree  of  1  June 
1979  stating  which  sections  in  the  law  should  apply  offshore.    In  addition,  the 
Decree  also  has  some  provisions  that  only  apply  to  the  Continental  Shelf.  It 
is  the  Norwegian  Petroleum  Directorate  that  ensures  that  these  regulations  ar 
compl ied  with. 

The  status  today,  is  therefore,  that  we  have  two  laws  followed  by  three  Royal 
Decrees  governing  the  safety  aspects  in  the  petroleum  industry  on  the  Norwegian 
Continental  Shelf.    (In  addition,  the  Norwegian  Seaworthiness  Act  is  applicable 
to  mobile  units.)    This  framework  has  resulted  in  a  situation  where  there  is  a 
marked  difference  in  the  control  system  for  mobile  and  fixed  installations. 
The  consequence  is,  for  example,  that  an  existing  drilling  rig  cannot  readily 
be  used  for  drilling  production  wells  because  it  will  not  comply  with  regulations 
applicable  to  production  installations. 

Another  practical  problem  is  that  the  regulations  governing  the  activities  of 
the  control  agencies  and  also  the  industry,  are  on  a  very  detailed  level,  thus 
restricting  technological  development  and  flexible  solutions  to  problems. 

FUTURE  REGULATORY  FRAMEWORK 

In  1972,  it  was  decided  that  the  petroleum  activity  needed  to  be  regulated  in  a 
dedicated  law,  and  that  there  was  sufficient  experience  available  to  be  able  to 
develop  such  a  law.    Work  started,  and  is  now,  10  years  later,  in  the  final 
stage  of  preparation.    The  new  "Petroleum  Law"  is  expected  to  be  passed  by  the 
Storting  (the  Norwegian  Parliament)  in  the  spring  of  1985. 

Two  Royal  Decrees  will  be  added  to  the  Law.    One  will  concentrate  on  resource 
management  aspects  and  the  other  will  concentrate  on  safety  aspects.    The  latter 
will  replace  the  Royal  Decrees  of  1975  and  1976. 

The  report  to  the  Storting  concerning  the  "Alexander  L.  Kiel  land"  accident 
contained  an  evaluation  of  the  existing  control  system  and  discussed  necessary 
changes  with  particular  emphasis  on  main  policy  matters.    I  will  describe  the 
most  important  ones  as  these  will  be  reflected  in  the  new  Royal  Decree  regarding 
safety  in  the  petroleum  activity.    These  are: 

1.  The  objective  of  the  new  Royal  Decree  is  to  establish  a  unified  safety 
standard  for  mobile  and  fixed  installations  and  a  more  coordinated  control 
system  based  on  the  principle  of  "internal  control." 

2.  Development  of  more  functional  requirements  must  be  carried  further. 
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3.  The  development  of  the  "internal  control"  system  must  be  continued  in 
order  to  provide  a  regulatory  system  which  can  secure  effective  control 
within  the  limitations  of  the  resources  available  to  public  authorities. 

4.  The  future  control  system  shall  consist  of  the  smallest  number  of  regulatory 
agencies  possible  and  be  well  coordinated. 

5.  Conceptual  safety  evaluations  must  be  performed  for  all  types  of  installations 
used  in  the  petroleum  activity. 

Regarding  1:    ("The  objective  of  the  new  Royal  Decree  is  to  establish  a  unified 
safety  standard  for  mobile  and  fixed  installations  and  a  more  coordinated 
control  system  based  on  the  principle  of  "internal  control".) 

This  will  result  in  one  regulatory  framework  applicable  to  the  total  offshore 
activity  and  hopefully  eliminate  the  problems  we  are  experiencing  today  as  a 
result  of  the  differences  between  the  regulations  for  mobile  and  fixed 
instal lations. 

In  order  to  fulfill  these  intentions,  it  is  necessary  to  harmonize  the  detailed 
regulations  issued  by  the  various  control  agencies  and  wherever  possible  have 
identical  regulations  with  respect  to  mobile  and  fixed  installations.    It  is 
also  essential  that  the  involved  authorities  implement  the  regulations  in  the 
same  manner.    This  requires  very  good  coordination  which  cannot  easily  be 
achieved  with  the  number  of  institutions  involved  today  and  the  present  delegation 
of  authority  and  tasks. 

Statement  1  also  specifies  that  the  principle  of  the  internal  control  duty 
shall  be  the  main  principle  for  the  total  petroleum  activity.    So  far,  this 
principle  has  only  applied  to  activities  related  to  production  installations, 
but  it  is  now  in  the  process  of  being  implemented  by  the  Maritime  Directorate 
and  some  other  authorities,  not  only  for  offshore  activities  but  also  for  land 
based  industries. 

In  the  future,  other  participants  in  the  petroleum  activiity  will  have  to 
establish  systems  for  internal  control.    That  means  that  all  participants  are 
expected  to  be  responsible  for  compliance  with  rules  and  regulations  and  must 
implement  a  control  system  that  ensures  that  rules  and  regulations  are  adhered 
to. 

This  principle  will  also  have  an  important  impact  on  some  contractors  and  some 
operators  that,  up  to  now,  have  only  been  engaged  in  the  exploration  activity. 
Regarding,  for  example,  mobile  drilling  units,  the  role  of  the  Classification 
Authorities  will  be  regarded  as  a  part  of  the  operator/owners  internal  control 
system.    The  owner  will  therefore  need  a  minimum  staff  to  carry  out  the  necessary 
control  work  because  it  will  be  expected  that  the  internal  control  function  is 
delegated  to  a  specified  unit  within  the  organization.    This  unit  must  have 
sufficient  organizational  freedom  to  be  able  to  examine  all  subordinate  control 
functions  and  to  perform  system  revisions  on  these. 
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The  control  performed  by  the  authorities  will  in  the  future  be  concentrated 
upon  controlling  the  internal  control  system.    This  will  mean  a  change  from 
"equipment  control"  to  a  "system  control."    This  system  control  will  be  performed 
as  audits  going  through  documentation,  procedures,  and  also  spot  checks  on 
physical  parts  of  installations. 

A  control  environment  as  described,  will  hopefully  improve  the  safety  level  as 
more  conscious  efforts  will  have  to  be  made  among  those  performing  the  activities 
on  the  Continental  Shelf  regarding  safety  aspects  in  the  planning,  design, 
construction  ,  and  operation  phases.    This  environment  will  hopefully  also 
result  in  a  better  utilization  of  the  resources  in  the  industry,  support 
organizations,  and  the  public  control  apparatus. 

Operating  Internal  Control  System 

The  fundamental  principle  in  the  legal  framework  for  the  offshore  activity  is 
therefore  that  the  licensees  are  responsible  for  ensuring  that  the  activity  is 
performed  according  to  the  safety  regulations  in  force. 

The  control  being  performed  by  the  public  control  agencies  will  be  a  supplement 
to  the  internal  control  which  the  involved  operators,  contractors,  etc.,  must 
carry  out  and  must  in  no  way  be  considered  a  replacement  or  a  part  of  this 
control . 

The  licensee,  therefore,  has  a  clear  duty  to  perform  necessary  control  himself 
and  to  do  this  through  an  organized  internal  control  system.    This  system  shall 
not  only  cover  his  own  activities,  but  also  include  all  contractors/subcontractors 
who  perform  work  for  him. 

The  NPD  first  issued,  "Guidelines  for  the  Licensees  Internal  Control,"  on  7 
June  1979.    These  were  revised  15  May  1981.    (The  main  principles  of  these 
guidelines  are  presently  being  upgraded  to  become  "Regulations  for  Internal 
Control."    This  is  done  in  order  to  satisfy  the  new  Petroleum  Law  and  will 
therefore  cover  all  activities  on  the  Norwegian  Continental  Shelf,  not  only 
those  connected  to  fixed  install  at  ions.) 

The  aim  of  the  guidelines  is  to  clarify  one  of  the  main  principles  of  safety 
control  of  the  petroleum  activity  on  our  Continental  Shelf. 

The  guidelines  have  the  following  definition  of  "internal  control": 

"All  systematic  actions  that  are  necessary  to  ensure  that  the  activity  is 
planned,  organized,  executed  and  maintained  to  requirements  in  and  pursuant  to 
laws  and  regulations." 

It  is  important  to  notice  that  this  definition  includes  the  quality  term. 
(Conformance  with  specified  requirement.)    This  means  that  the  internal  control 
normally  will  be  taken  care  of  by  a  total  Quality  Assurance  system  that  shall 
ensure  conformance  with  the  company's  own  requirements.    The  requirements  from 
the  authorities  concerning  the  scope  of  an  internal  control  system,  might  thus 
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be  regarded  as  minimum  requirements  to  a  total  Quality  Assurance  system  in  the 
company. 

The  guidelines  are  applicable  to  all  activities,  such  as  design,  construction, 
installation,  and  operation  facilities. 

It  is  required  that  the  internal  control  system  is  described  in  a  general 

form  with  reference  to  more  detailed  descriptions  of  the  different  parts  of  the 

organization  and/or  different  phases  of  the  project. 

The  description  of  the  system,  once  accepted  by  the  authorities,  is  binding 
with  regard  to  the  operator  internally  and  the  authorities  externally. 

The  internal  control  system  shall  cover  all  parts  of  the  operators  organization 
and  all  phases  of  an  activity. 

This  shall  ensure: 

•  That  competent  persons  are  used  during  planning,  construction,  building, 
installation,  and  operation. 

•  That  worker  protection  and  health  personnel  shall  be  able  to  perform  their 
work  according  to  the  intentions  of  the  Law. 

•  That  all  employees  and  contractor  personnel  are  given  necessary  training. 

•  That  a  total  safety  evaluation  is  performed  at  final  concept  choice. 

•  That  an  analysis  of  the  construction  is  performed. 

•  That  systems  are  established  for  the  administration  of  documents  in  all 
phases  of  a  project. 

•  That  purchasing  documents,  specifications,  etc.,  contain  sufficient 
Quality  Assurance  requirements. 

•  That  control  of  responsibility  and  communication  lines  (interface  control) 
are  ensured. 

•  That  the  suppliers'  Quality  Assurance  is  assessed,  accepted,  audited,  and 
verified. 

•  That  it  can  be  documented  (by  test  reports,  certificates,  etc.)  that  goods 
or  services  supplied  have  an  acceptable  quality. 

•  That  satisfactory  operating  programs  (for  example,  program  for  drilling, 
start-up,  production,  and  programs  for  simultaneous  activities,  inspection 
and  testing,  maintenance,  etc.,  are  made  and  followed). 

•  That  temporary  equipment  may  be  installed  and  operated  in  a  secure  way 
and  pursuant  to  established  requirements. 
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•  That  Quality  Control  during  the  operation  functions  effectively. 

•  That  corrective  actions  take  place  when  the  Quality  Control  indicates 
deviation  from  established  quality  requirements. 

•  That  specifications  for  repair  are  established  and  that  the  specifications 
give  sufficient  support  for  -■  and  sets  sufficient  requirements  for  the 
execution  of  the  repai r. 

•  That  modifications  or  repair  do  not  reduce  the  originally  specified  safety 
level . 

•  That  procedures  are  performed  in  such  a  way  that  the  safety  is  taken  care 
of,  even  if  the  production  installation  must  be  operated  in  a  not 
predetermined  way. 

•  That  the  safety  of  the  installations  also  is  ensured  throughout  work 
conflict  and  irregular  shutdown  of  production. 

•  That  necessary  actions  take  place  and  involved  authorities  are  informed 
if  abnormal  incidents  or  accidents  should  occur. 

•  That  information  and  documentation  are  presented  on  time  for  the 
authorities  in  accordance  with  laws,  regulations,  and  guidelines. 

These  examples  are  not  a  comprehensive  list  of  what  the  licensee's  internal 
control  shall  contain,  but  highlight  some  areas  that  should  be  given  special 
attention. 

It  is  of  importance  that  the  licensee  does  evaluate  those  areas  that  are  covered 
through  normal  internal  routines  and  also  areas  where  special  efforts  are 
required.    It  must  also  be  possible  to  continuously  update  the  internal  control 
system. 

To  ensure  the  intended  function  of  the  internal  control,  the  organization  plans 
shall  include  and/or  describe  the  function  and  the  position  of  personnel  that 
shall  supervise  internal  control  and  their  duties  and  responsibilities  in  that 
connection. 

General  responsibilities  and  supervision  for  the  internal  control  is  expected 
to  be  delegated  to  a  special  unit  in  the  licensee's  organization.    This  unit 
must  have  the  necessary  organizational  freedom  to  execute  supervision  of  all 
relevant  control  systems  and  to  perform  a  system  audit. 

Necessary  organizational  freedom  will  normally  mean  that  this  function  should 
be  excluded  from  operational  responsibility  and  should  have  the  possibility  to 
report  to  a  higher  organizational  level  than  the  ones  this  unit  supervises. 

It  is  emphasized  that  this  responsibility  shall  not  be  in  conflict  with  the 
free  and  independent  position  that  worker  protection  and  health  personnel  shall 
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have  according  to  the  law.    The  internal  control  shall  ensure  the  integrity  of 
these  functions  also  with  respect  to  organizational  freedom. 

The  development  of  the  internal  control  philosophy  has  in  a  very  satisfactory 
way  reduced  the  NPDs  heavy  control -work  on  a  detailed  level  and  made  it  possible 
to  concentrate  on  the  main  important  aspects.    Control  on  a  detailed  level  is 
still  performed,  but  now  as  a  part  of  a  planned  audit  on  a  specific  subject. 

The  NPD's  impression  is  also  that  by  checking  the  operators  internal  control 
system,  instead  of  only  checking  individual  technical  components,  we  have 
achieved  a  better  safety  understanding  and  acceptance  within  all  parts  of  the 
operators  organization.    This  again  has  resulted,  we  feel,  in  a  higher  safety 
level  on  the  fixed  installations  in  general. 

Regarding  2:    ("Development  of  more  functional  requirements  must  be  carried 
further.") 

A  consequence  of  the  above  described  control  approach  is  that  the  requirements 
in  the  new  Royal  Decree  will  only  be  presented  as  safety  goals  and  it  will  be 
up  to  the  control  agencies  to  issue  more  detailed  regulations.    These  regulations 
will  have  to  be  functional  in  form  and  as  far  as  possible,  avoid  specifying  how 
safety  aspects  shall  be  resolved.    The  intention  is  to  avoid  frequent  revisions 
of  the  regulations  due  to  rapid  development  of  new  technologies,  etc.  The 
objective  is  therefore  to  achieve  a  more  flexible  regulatory  system. 

Regarding  3:    ("The  development  of  the  internal  control  system  must  be  continued 
in  order  to  provide  a  regulatory  system  which  can  secure  effective  control 
within  the  limitations  of  the  resources  available  to  public  authorities.") 

This  item  has  been  commented  under  1,  but  I  will  add  that  in  order  to  further 
develop  the  control  system  based  on  the  philosophy  of  the  internal  control  duty 
vested  with  the  industry,  it  is  important  that  all  parts  of  the  industry  really 
put  an  effort  into  developing  a  good,  trustworthy  internal  control  system.  If 
this  effort  is  not  made,  it  can  result  in  reverting  back  to  a  control  system 
that  is  less  flexible,  more  time  consuming,  complicated,  and  more  resource 
demandi  ng. 

Regarding  4:    ("The  future  control  system  shall  consist  of  the  smallest  number 
of  regulatory  agencies  possible  and  be  well  coordinated.") 

This  statement  means  that  a  conscious  effort  will  be  made  to  reduce  the  number 
of  public  control  agencies  and  develop  a  system  where  coordination  is  easy.  If 
this  is  achieved,  one  of  the  main  problems  of  getting  the  same  safety  framework 
for  the  total  offshore  activity  is  eliminated.    It  will  therefore  also  be  easier 
to  establish  a  flexible  regulatory  environment  for  the  industry  and  control 
agencies. 

Regarding  5:    ("Conceptual  safety  evaluations  must  be  performed  for  all  types 
of  installations  used  in  the  petroleum  activity.") 
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This  item  is  identified  because  it  is  expected  that  the  safety  of  an  installation 
should  normally  be  checked  on  three  levels. 

lc     Serviceability  control  where  the  main  aim  is  to  reduce  downtime. 

2.  Component  failure  control  where  one  verifies  safety  against  structural  and 
equipment  failures.    Failure  control  is  checked  for  events  of  larger  effect 
but  less  frequent  than  serviceability  control. 

3.  Major  accident  control  where  one  verifies  the  installation  safety  against 
major  accidents  jeopardizing  a  large  number  of  lives,  causing  severe 
pollution  or  major  economical  losses. 

The  serviceability  and  component  failure  control  are  normally  covered  by  existing 
codes  and  regulations.    Procedures  and  criteria  for  major  accident  control  are 
not.    It  is  therefore  necessary  to  introduce  a  requirement  stating  that  a 
conceptual  safety  study  shall  be  performed  as  this  is  considered  being  a  vital 
part  of  the  major  accident  control. 

The  NPD  has  therefore  developed  a,  "Guideline  for  Safety  Evaluation  of  Platform 
Conceptual  Design,"  with  the  purpose  of  giving  guidance  for  the  execution  of 
safety  evaluations  of  installations.    The  intention  of  the  guidelines  is  to 
express  the  general  attitude  of  the  Norwegian  Petroleum  Directoratge  to  the 
problem  area,  and  to  indicate  how  the  safety  aspects  can  be  handled  at  an  early 
stage  of  design. 

It  is  important  to  note  that  the  guidelines  are  intended  to  be  used  for  safety 
evaluations  and  analysis  of  installations  as  completed  in  the  operational  phase. 

The  main  chapters  of  the  guidelines  are  as  follows: 

•  Principles  of  the  evaluation 

•  Design  accidental  events 

•  Acceptance  criteria 

Principles  of  Evaluation 

It  is  presupposed  that  the  operator  has  chosen  a  concept  that  complies  with 
general  safety  criteria.    The  intention  of  the  evaluation  is  to  verify  at  an 
early  stage  that  the  concept  chosen  will  result  in  an  acceptable  installation, 
and  that  no  major  changes  during  design  and  construction  phases  will  be  necessary 
because  of  safety  requirements.    The  aim  of  the  evaluation  is  therefore  to 
establish  acceptable  safety  in  compliance  with  given  criteria. 

Design  Accidental  Events 

For  the  installation,  or  parts  of  it,  that  are  relevant  to  the  acceptance 
criteria,  the  licensee  should  specify  a  set  of  design  accidental  events.  In 
principle,  the  design  accidental  events  shall  be  the  most  unfavorable  situations 
relative  to  the  acceptance  criteria. 
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In  practical  terms,  it  may  be  considered  necessary  to  exclude  the  most  improbable 
accidental  events  from  the  analysis.    However,  the  total  probability  of  occurrence 
of  each  type  of  excluded  situation  should  not,  by  best  available  estimate, 
exceed  10"^  per  year  for  any  of  the  main  functions  specified  in  the  guidelines. 

This  number  is  meant  to  indicate  the  magnitude  to  aim  for,  as  detailed  calculations 
of  probabilities  in  many  cases  will  be  impossible  due  to  lack  of  relevant  data. 

Acceptance  Criteria 

The  platform  design  must  be  such  that  a  design  accidental  event  does  not  impose 
a  danger  to  personnel  outside  the  immediate  vicinity  of  the  accident. 

This  statement  can  be  considered  satisfied  by  complying  with  the  following 
three  criteria: 

1.  At  least  one  escape  way  from  central  positions,  which  may  be  subjected  to 
an  accident,  shall  normally  be  intact  for  at  least  1  hour  during  a  design 
accidental  event. 

2.  Shelter  areas  shall  be  intact  during  a  calculated  accidental  event  until 
safe  evacuation  is  possible. 

3.  Depending  on  platform  type,  function,  and  location,  when  exposed  to  the 
design  accidental  event,  the  main  support  structure  must  maintain  its 
load  carrying  capacity  for  a  specified  time. 

In  summary  the  basic  concepts  of  the  NPD  Guidelines  for  Concept  Evaluation  are 
as  follows: 

1.  The  adequacy  of  the  platform  design  is  measured  by  the  ability  of  escape 
ways,  shelter  areas  and  main  support  structure  to  remain  functional  or 
partly  functional  during  any  of  the  several  Design  Accidental  Events 
(DAEs)  to  permit  personnel  outside  the  immediate  vicinity  of  the  accident 
to  reach  a  safe  location. 

2.  The  DAEs  are  particular  scenarios  in  each  of  which  an  initiating  failure 
(e.g.,  pipe  rupture)  is  considered  in  combination  with  particular 
conditioning  circumstances  (e.g.,  wind  directions,  protective  system 
operation,  etc.). 

3.  Accidental  events  which  do  not  fall  in  the  DAE  class  because  they  would 
make  all  escape  ways  impossible  should  not  have  a  total  probability 
exceeding  10"^  per  year;  the  same  applies  for  shelter  areas  and  main 
support  structures. 

As  it  is  expected  that  such  evaluations  are  carried  out  on  all  types  of 
installations,  it  is  natural  to  assume  that  guidelines  such  as  the  one  just 
mentioned  are  developed  for  use  in  the  industry  as  a  total.    This  development 
will  result  in  a  more  overall  and  thorough  evaluation  of  safety  aspects,  and 
assure  in  a  more  systematic  way  that  major  safety  problems  are  defined  and 
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handled  at  an  early  staqe  in  a  project  and  thereby  improving  the  overall  safety 
of  the  installation. 


GENERAL  DESCRIPTION  OF  PROCEDURES  FOR  APPROVAL  OF  THE  DEVELOPMENT  OF  PETROLEUM 
RESOURCES  ON  THE  NORWEGIAN  CONTINENTAL  SHELF 

The  Norwegian  Authorities  approvals  of  the  various  phases  of  offshore  development 
projects  are  a  major  part  of  the  safety  management  structure.    The  Norwegian 
Authorities  put  great  emphasis  on  the  safety  and  risk-related  activities  in  a 
project  and  that  they  are  performed  in  a  systematic  and  controlled  manner.  The 
phase-related  approvals  given  by  the  authorities  are  therefore  considered  as 
control  stations  in  this  safety  management  process. 

If  an  offshore  operator  wants  to  develop  a  petroleum  field,  he  first  has  to 
present  to  the  Ministry  of  Petroleum  and  Energy  a  "Field  Development  Plan" 
(figure  1).    The  formal  approval  of  the  Field  Development  Plan  will  subsequently 
be  given  by  the  Storting  (the  Norwegian  Parliament)  on  the  recommendation  of 
the  Ministry  of  Petroleum  and  Energy  concerning  resource-related  matters  and 
the  Ministry  of  Labor  and  Municipal  Affairs/The  Norwegian  Petroleum  Directorate 
concerning  technical  and  safety-related  matters. 

The  Field  Development  Plan  shall  in  addition  to  topics  concerning  geology, 
reservoir  characteristics,  economy,  and  technical  installations,  etc.,  also 
contain  a  section  concerning  the  safety  management  of  the  project.    This  section 
should  contain  a  description  of  the  operator's  safety  policy,  his  management 
system  for  internal  control  and  Quality  Assurance  and  the  initial  safety 
evaluations  undertaken  which  form  the  basis  for  the  choice  of  development  concept. 

The  next  approval  given  by  the  authorities  will  be  at  approximately  the  end  of 
the  preengineering  phase  when  the  operator  has  to  submit  to  the  Norwegian 
Petroleum  Directorate  what  is  known  as  the  "Extended  Field  Development  Plan" 
(the  "Main  Plan"). 

This  is  a  continuation  of  the  Field  Development  Plan,  but  is  more  detailed  than 
the  former.    The  "Main  Plan"  is  mostly  of  technical  and  safety-related  nature 
and  forms  the  basis  for  the  Governmental  acceptance  for  the  project  to  proceed 
into  Detail  Engineering. 

In  addition  to  a  technical  description  of  the  various  parts  of  the  installation, 
including  platform  protection  and  monitoring,  the  main  emphasis  of  the  "Main 
Plan"  will  be  a  detailed  description  of  the  Internal  Control  and  Quality 
Assurance  systems  for  the  Development  Project  (Appendix  3)  and  a  major  Safety 
and  Risk  Analysis  of  the  installations  (Appendix  4). 

Following  these  two  major  approvals,  there  will  be  a  number  of  part  approvals 
given  by  the  authorities,  such  as: 

•  Approval  to  start  fabrication 

•  Approval  to  tow  out  and  install  platforms 
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•     Approval  to  lay  pipelines 


•  Approval  to  dry  and  test  pipelines,  etc. 

In  addition  to  these  part  approvals,  the  operator  also  has  to  apply  for  various 
operating  permits.    These  are: 

•  Permit  for  use  for  dwelling  purposes 

•  Permit  for  use  for  production  drilling 

•  Permit  for  use  for  petroleum  production 

•  Permit  for  use  for  pipeline  systems 

•  Permit  for  use  for  shipment  facilities 

Common  to  all  these  approvals,  the  operator  has  to  confirm  to  the  authorities, 
that  all  aspects  related  to  safety  and  Quality  Assurance  for  the  following 
activity  are  taken  care  of  and  in  accordance  with  Norwegian  Laws  and  Regulations. 
For  some  of  the  approvals,  the  Norwegian  Petroleum  Directorate  specifically  asks 
for  documentation  (as  indicated  by  the  regulations)  to  follow  the  applications. 

In  other  instances,  the  Norwegian  Petroleum  Directorate,  may  only  spot  check 
certain  documents  or  activities  to  make  sure  the  project  is  executed  in  accordance 
with  the  reguired  safety  standards. 

The  Norwegian  Petroleum  Directorate  only  does  a  100%  control  of  the  project  up 
to  and  included  the  "Main  Plan."    For  subseguent  activities  the  project  control 
is  undertaken  through  the  system  for  internal  control.    There  is  therefore  no 
formal  system  for  certification  as  in  many  other  countries,  although  certificates 
or  certifying  authorities  may  be  used  by  the  operator  as  part  of  his  internal 
control  system. 

The  control  undertaken  by  the  Norwegian  Petroleum  Directorate  is  therefore  a 
control  of  the  operators  internal  control  system  and  is  usually  undertaken  on  a 
spot  check  basis.    This  form  for  auditing  may  be  carried  out  on  all  levels  and 
on  all  activities,  both  technical  and  managerial  and  during  all  phases  of  the 
project.    Particular  emphasis  is  put  on  auditing  the  safety  management  system 
of  the  operator  and  the  development  project. 


SAFETY  MANAGEMENT  IN  OFFSHORE  DEVELOPMENT  PROJECTS 

As  a  conseguence  of  the  blowout  on  the  Bravo  platform  on  Ekofisk  in  1977,  the 
Norwegian  Authorities  decided  that  too  little  had  been  done  on  research  and 
development  related  to  the  safety  and  contingency  planning  of  offshore  petroleum 
activities  in  Norway. 

A  major  4  year  R&D  program,  "Safety  Offshore,"  was  therefore  initiated  in  1978. 
The  program  was  terminated  in  1983,  cost  a  total  of  153  mill,  kr.,  and  included 
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282  projects,    (A  summary  of  the  various  projects  can  be  ordered  from  the  NPD.) 
The  program  was  split  into  three  parts.    Two  of  these  were  managed  by  the 
Norwegian  Petroleum  Directorate  and  the  third  by  the  Royal  Norwegian  Council 
for  Scientific  and  Industrial  Research. 

A  substantial  part  of  the  program  dealt  with  aspects  of  safety  management  and 
risk  and  reliability  analysis.    Two  projects  in  particular  looked  at  the  overall 
safety  management  aspects  of  offshore  development  projects  in  Norway.  These 

were: 

1.  "Project  Model  for  Safety  Management  in  Offshore  Development  Projects." 

2.  "Risk  Analysis  in  Offshore  Development  Projects." 

o 

A  Norwegian  consultant  company,  Bedriftsradgivning  A/S,  and  the  Safety  and 
Reliability  Section  of  SINTEF  (The  Foundation  of  Scientific  and  Industrial 
Research  at  the  Norwegian  Institute  of  Technology)  undertook  these  projects  in 
cooperation  with  two  project  groups  consisting  of  representatives  of  the 
Norwegian  Authorities,  offshore  operators,  and  engineering  and  certifying 
companies. 

Even  if  these  two  projects  present  the  ideal  safety  management  model  and  risk 
analysis  activities  of  offshore  development  projects,  they  do  to  a  large  extent 
reflect  the  intentions  of  the  Norwegian  Petroleum  Directorate's  guidelines  for 
"internal  control"  and  "concept  evaluation."    rhe  projects  also  give  an  excellent 
overview  of  the  main  structure  of  a  field  development  project  where  special 
emphasis  is  put  on  safety-related  activites.    (The  two  project  reports  are 

o 

available  from  Bedriftsradgivning  A/S  and  SINTEF  in  Norway.    See  appendices  5 
and  6.) 


PROJECT  MODEL  FOR  SAFETY  MANAGEMENT  IN  OFFSHORE  DEVELOPMENT  PROJECTS 

o 

(Extracts  from  the  project  report  with  the  kind  permission  of  Bedriftsradgivning 
A/S.) 

FRAMEWORK  FOR  SAFETY  MANAGEMENT 

The  main  result  of  this  project  is  a  framework  for  safety  management  (figure  2). 
It  shows,  roughly  and  in  principle: 

•  What  the  safety  activities  in  a  project  may  consist  of. 

•  How  they  may  be  planned,  carried  out,  and  followed-up  through  safety 
management. 
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The  framework  clarifies  and  interconnects  important  aspects  concerning  safety: 

•  Safety  objectives  and  safety  requirements  and  how  they  are  established. 

•  Safety  analysis;  which,  when,  and  on  what  basis. 

•  Safety  oriented  decisions. 

•  Design  tasks  involving  safety. 

©     Documents  concerning  the  safety  of  an  installation;  both  safety  reports 

and  design  documents. 

•  Safety  control  by  reviewing  design  and  construction  of  installations. 

The  project  model  for  safety  management  aims  at  influencing  the  practice 
concerning  safety  management  in  Norwegian  field  development  projects  in  the 
future.    It  is  therefore  realistically  future  oriented,  mainly  for  the  following 
reasons. 

•  It  is  assumed  that  safety  management  in  the  future  will  be  given  considerable 
emphasis  in  field  development  projects  (corresponding  to  the  level  of 
ambition  reflected  in  the  model). 

•  Intentions,  principles,  and  concepts  in  the  new  Petroleum  Act  which  is 
forthcoming,  have  been  taken  into  the  model  as  far  as  practically  possible. 

•  Increasing  requirements  for  thorough  risk  analysis,  both  from  the  authorities 
and  the  oil  companies. 

•  The  competence  to  carry  out  such  analysis  is  now  being  built  up  in  the 
petroleum  industry. 

•  The  safety  management  process  is  now  becoming  regarded  a  total  process, 
starting  with  goals  and  ending  with  verification. 

•  Safety  is  not  the  responsibility  of  the  project  safety  discipline  alone, 
but  involves  all  those  who  can  influence  the  design  and  construction  of 
the  installation. 


ASPECTS  OF  SAFETY  MANAGEMENT  IN  A  PROJECT 

Safety  management  (objectives,  plans,  analysis,  decisions,  documents)  and  the 
organization  of  safety  activities  in  the  project  will  vary  from  one  phase  to  the 
other  in  the  course  of  the  project. 
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Project  Phases 

The  project  may  be  divided  into  six  separate  phases. 

1.  Feasibility  study; 

2.  Concept  study; 

3.  Preengineering; 

4.  Detail  engineering; 

5.  Construction;  and 

6.  Commissioning  and  startup. 

In  the  first  three  of  these  phases,  the  premises  for  a  safe  installation  are 
established.    The  possibility  to  influence  the  final  result  is  considerable  in 
these  phases,  whilst  it  falls  rapidly  in  the  later  phases. 

Analysis 

Two  main  principles  should  be  followed  when  planning  safety  analysis  in  the 
project: 

1.  The  number  of  analyses  should  be  limited  as  far  as  possible. 

2.  Analysis  should  be  performed  where  central  decisions  are  made. 
This  leads  to  five  types  of  safety  analysis: 

1.  Rough  risk  analysis; 

2.  Concept  safety  analysis; 

3.  Hazard  analysis; 

4.  Total  risk  analysis;  and 

5.  Risk  analysis  and  construction  work. 

Control  Entities 

By  control  entities  is  meant  project  documents  to  which  special  attention  should 
be  paid  (especially  concerning  safety)  and  which  are  the  subject  of  management. 
In  the  project  model  these  documents  are  marked  and  specially  described. 

In  each  project  phase  certain  control  entities  are  particularly  important: 

•  Safety  Program  (figure  3). 

This  is  a  plan  for  safety  activities  for  the  project  phase  in  question  and 
subsequent  phases.    The  safety  program  is  an  essential  document  in  practical 
safety  management. 

•  Risk  Analysis  Reports. 

Analysis  and  evaluation  reports  which  form  the  bases  for  decisionmaking. 


149 


150 


•  Safety  Report  From  A  Given  Phase. 

Summary  of  the  safety  analysis  and  decisions  made  in  that  phase. 

•  Safety  Audit  Report. 

Results  from  the  design  reviews,  including  recommendations. 

•  Documents  sent  to  the  authorities  concerning  safety-related  matters  such 
as  the  Field  Development  Plan  (Main  Plan  at  present). 

•  Other  documents  produced  in  the  given  phase  of  significance  to  safety: 

-  Engineering/design  documents 

-  Bid  documents 

-  Handbooks/manuals 

-  Etc. 

Organizing  The  Safety  Functions 

In  this  report,  we  have  not  proposed  an  organization  chart  for  the  "ideal" 
safety  organization  in  a  development  project. 

What  we  have  done  is: 

•  to  define  safety  functions  in  a  project, 

•  to  establish  principles  for  organizing  the  safety  activities  in  the 
project. 

These  are  to  be  regarded  as  guidelines,  not  as  solutions. 
The  safety  functions  are: 

•  SAFETY  MANAGEMENT 

-  Safety  administration 

-  Safety  analysis 

-  Safety  design  coordination 

•  DESIGN  OF  SAFETY  SYSTEMS 

•  SAFETY  AUDITS 

-  Internal  audits 

-  External  audits 
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The  principles  of  organization  should  ensure  positive  influence  on  safety,  that 
is: 

•  Safety  activities  are  given  the  necessary  place  and  priority. 

•  Safety  considerations  influence  all  stages  of  the  design. 
THE  SAFETY  MANAGEMENT  PROCESS 

Safety  management  is  a  continuous  process  running  through  the  whole  project.  By 
means  of  a  Safety  Program  (figure  3),  a  plan  for  all  safety  oriented  activities 
in  the  projects,  we  ensure  in  practice  that  the  safety  management  process  will 
be  carried  through. 

A  safety  program  is  a  document  showing  how  the  individual  elements  in  safety 
management  should  be  carried  out,  when  and  by  whom. 

The  individual  elements  in  the  safety  management  process  consist  of: 

•  Safety  Objectives. 

Establishment  of  the  main  safety  objectives  of  the  project  (verbally 
described).  Based  on  the  safety  objectives  of  the  operating  company 
the  objectives  will  be  adapted  to  the  project's  own  basic  premises. 

•  Acceptance  Criteria. 

On  the  basis  of  safety  objectives  specific  acceptance  criteria  (risk 
targets,  reference  norms)  will  be  established.    These  will  be  used  for 
evaluation  and  acceptance  of  risks. 

•  Risk  Analysis. 

This  includes  identification,  description,  calculation/estimation  and 
evaluation  risk.    We  here  distinguish  between: 

-  Risk  assessment  (risk  calculations):    that  is  to  determine  risk  for 
a  given  design  by  suitable  methods. 

-  Risk  evaluation:    to  compare  the  calculated  risk  with  the  acceptance 
criteria. 

•  Safety  Requirements. 

The  establishment  of  safety  requirements  (safety  oriented  design  basis), 
based  on  risk  evaluations,  or  from  guidelines  established  by  the  operating 
company. 
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Implementation. 

To  make  objectives  and  requirements  operatively  available  for  those  who 
shall  fulfill  them  in  design  and  construction.    Organization  and  contract 
formulation  are  essential  factors  to  make  this  possible. 

Realization  and  Objectives  and  Requirements. 

Objectives  and  requirements  are  realized  in  the  process  of  project  tasks, 
i.e.,  they  are  incorporated  in  the  selected  design  and  final  product. 
This  implies: 

-  Establishing  design  specifications. 

-  Establishing  complete  design  solutions. 

-  Documentation  of  safety  and  emergency  measures  in  accordance  with 
requirements,  regulations,  and  standards. 

Design  Review. 

Review  and  improvement  of  design  with  respect  to  safety,  as  well  as  other 
aspects,  carried  out  by  project  personnel.    Continuous  coordination  of 
safety  in  design  will  to  a  large  extent  satisfy  this  requirement. 

Safety  Audits. 

Independent  review  of  the  design  with  regard  to  safety,  carried  out  by  an 
independent  group.    Proposals  for  improvement. 

Rules,  Regulations,  and  Standards. 

The  Government  seeks  to  regulate  the  level  of  safety  through: 

-  definition  of  responsibility  (the  principle  of  internal  control), 

-  guidelines  for  concept  safety  analysis,  and 

-  a  series  of  detailed  regulations. 

-  The  operating  company's  standards  and  specifications  will  also  influence 
the  execution  of  the  project. 

-  On  the  engineering  side,  more  or  less  formal  standards  and  "good  design 
practice"  are  established. 

-  To  make  objectives  and  requirements  operatively  available  for  those  who 
shall  fulfill  them  in  design  and  construction.    Organization  and  contract 
formulation  are  essential  factors  to  make  this  possible. 
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-  Experience. 

Relevant  experience  and  information  for  the  tasks  to  be  carried  out 
must  be  acquired  and  utilized  in  the  project. 

The  model  for  safety  management  which  has  been  developed  is  based  on: 

•  A  safety  management  process  as  described,  shall  take  place  through  the 
whole  life  of  the  project. 

•  A  safety  program  is  the  principal  means  of  bringing  safety  management  into 
the  project.    This  shall  state: 

-  Which  safety  activities  are  to  be  carried  out 

-  How  (basis,  method  result) 

-  When 

-  By  whom  (participants,  responsibility) 


MAJOR  TASKS  IN  EACH  PHASE  (figure  4) 

A  brief  description  of  the  major  tasks  within  each  phase  in  the  project,  is 
given  in  the  following  with  special  emphasis  on  the  safety-related  activities. 

Feasibility  Study 

The  work  in  this  phase  is  mainly  directed  towards  the  definition,  evaluation, 
and  description  of  a  number  of  development  concepts  for  an  offshore  oil /gas 
field,  i.e.,  concepts  which  are  technically,  economically,  and  safetywise 
feasible  on  the  basis  of  the  characteristics  (geographical  position,  the 
extension  of  the  reservoir" s  characteristics  of  water  depth,  seabed  condtions, 
etc.)  of  the  field  in  question. 

On  the  basis  of  these  descriptions  a  decision  is  made  on  whether  to  proceed 
with  a  more  detailed  concept  study. 

Safety-related  activities  consist  here  principally  of  formulating  the  primary 
safety  goals  and  objectives  to  be  applied  in  the  further  development  of  the 
project,  establishing  a  safety  program  for  this  phase  and  for  the  rest  of  the 
project,  and  performing  a  first,  rough  risk  analysis  of  alternative  field 
development  concepts  with  respect  to  the  main  types  of  accidents  and  their 
possible  consequences. 

The  work  is  mainly  performed  by  the  operator's  own  project  team,  but  special 
consultants  may  be  engaged  for  special  studies  and  reports. 

Concept  Study 

The  work  from  phase  one  is  here  continued  with  more  detailed  studies  for  selected 
concepts,  to  be  able  to  choose  the  best  concept  for  development  of  the  entire 
field  and  for  the  first  platform.    The  platform  should  here  be  described  in 
sufficient  detail  to  form  the  basis  for  an  "official"  cost  estimate,  and  for 
the  invitation  to  tender  for  preengineering. 
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Should  the  rest  of  the  studies  be  satisfactory,  a  declaration  of  commercial ity 
will  be  prepared  for  the  partners  (the  other  licensees).    Also,  an  application 
for  landing  permit  is  submitted  to  the  Ministry  of  Oil  and  Energy,  including 
the  licensee's  plan  for  development  of  the  field  (Field  Development  Plan). 

Safety  activities  include  primarily  specifications  of  safety  requirements  for 
the  installation  and  performing  of  certain  safety  analyses: 

•  Rough  risks  analysis  of  the  installation  concept. 

•  Preliminary  safety  analysis  of  the  selected  process  and  layout. 

•  Total  risk  analysis  of  the  selected  concept  according  to  the  guidelines 
of  the  Norwegian  Petroleum  Directorate. 

The  operator's  own  organization  undertakes  most  of  this  work. 

Preengineering 

In  this  phase,  the  engineering  of  the  process  system  and  other  main  areas  and 
modules  of  the  platform  is  carried  out  to  a  degree  sufficient  to  invite  tenders 
for  complete  detail  engineering.    This  work  should  result  in  a  complete  design 
philosophy  for  the  installation,  a  description  of  the  scope  of  work  for  the 
detail  engineering  and  bid  documents  for  relevant  engineering  contracts.  In 
addition,  purchase  for  long  lead  items  and  critical  equipment  should  be  awarded. 

In  this  phase,  an  extended  detailed  Field  Development  Plan  shall  also  be 
prepared.    This  shall  be  sent  to  the  Norwegian  Petroleum  Directorate  as  a  basis 
for  consent  for  futher  engineering. 

Safety  activities  continue  with: 

•  Hazard  analysis  of  process  and  utility  systems. 

•  Overall  risk  analysis  of  the  platform. 

The  greater  part  of  the  engineering  will  now  usually  be  performed  by  an 
engineering  contractor.    To  assist  in  procurement  and  project  management,  the 
operator  may  engage  a  Project  Services  Contractor  (PSC),  who  will  also  take 
part  in  the  project  from  this  phase  on. 

Detail  Engineering 

Put  simply,  the  main  activities  are  to  prepare  the  necessary  technical  and 
economical  basis  for  all  contracts  and  purchase  orders,  to  award  these  to 
qualified  suppliers,  and  ensure  that  delivery  takes  place  according  to  plan. 
This  phase  is  usually  the  longest  and  most  resource  demanding  of  the  engineering 
phases. 

With  regard  to  safety,  the  work  will  to  a  large  extent  consist  of  ensuring 
that  previously  specified  requirements  and  premises  are  taken  into  account  in 
detail  engineering.    The  following  analysis  may  be  performed: 
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•  An  extended  detailed  hazard  analysis  of  process  and  utility  systems. 

•  Availability  analysis  of  safety  systems. 

•  Updating  of  the  overall  risk  analysis. 

•  Risk  analysis  of  construction  and  hookup  work. 

The  detail  engineering  1s  also  normally  performed  by  an  engineering  contractor 
(DEC).    The  operator's  own  project  team,  possibly  assisted  by  a  PSC,  performs 
technical  and  progress  control  of  engineering  and  carries  out  procurement  and 
contract  adminstration. 

Special  parts  of  the  platform,  e.g.,  the  living  quarters  and  the  drilling 
modules,  may  be  awarded  as  combined  engineering  and  construction  contracts, 
which  means  that  the  construction  company  will  perform  the  necessary  detail 
engineering. 

Construction 

In  this  phase,  the  greater  part  of  the  work  will  be  performed  by  selected 
suppliers  and  construction  contractors.    A  considerable  number  of  people  will 
now  participate  in  the  construction  and  erection  of  the  final  product,  according 
to  the  engineering  basis  which  has  been  developed  in  the  preceding  phases. 

The  operator's  own  project  organization,  assisted  by  various  consultants,  will 
have  as  their  main  responsibility,  control  of  the  many  fabrication  and  construction 
activities  with  respect  to: 

•  time/progress, 

•  economy,  and 

•  qual  ity /safety. 

The  basis  for  project  control  will  be  according  to  contractual  agreements  for 
fabrication  and  construction  regarding: 

•  scope  of  work, 

•  technical  performance  of  the  work, 

•  time  and  cost  limits,  and 

•  payment  conditions,  etc. 

In  addition,  special  guidelines  for  the  operator's  quality  assurance  and  safety 
management  in  the  phase  will  be  prepared  in  the  form  of: 
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•  QA-proqram  and  procedures, 

•  safety  program  and  procedures, 

•  requirements  for  safety  education  and  training,  and 

•  requirements  for  protection  of  the  equipment  during  the  construction 
period. 

Project  control  itself  may  take  place  at  three  levels,  which  are  briefly 
described  in  the  following: 

•  Overall  project  control  which  consists  of  following  up  progress  and  costs 
for  the  whole  project  to  be  able  to  keep  the  entire  activity  within 
stipulated  time  and  cost  limits.    It  will  normally  be  performed  by  the 
operator's  own  project  team. 

•  Contracts  administration  is  detailed  follow-up  of  each  contract  or  delivery 
to  ensure  completion  according  to  plan.    This  is  also  performed  by  operator's 
representatives,  usually  in  permanent  organizations  at  major  construction 
sites,  and  by  routine  visits  to  minor  fabricators/suppliers. 

•  Inspections  may  vary  from  simple  verification  of  quantity,  weight,  and 
dimensional  control  to  investigation  and  certification  of  welds,  etc. 
This  may  be  performed  by  the  operator's  own  project  team  and/or  an 
independent  third  party  with  special  competence  in  this  field. 

Commissioning  and  Start-up 

The  purpose  of  the  last  of  the  project  phases  is  to  ensure  that  all  parts  of 
the  completed  installation  function  as  required  and  are  ready  for  normal 
operation. 

This  is  done  by  activating  all  equipment  and  systems  singly  or  together  according 
to  established  procedures,  test  their  function,  and  if  necessary,  make  adjustments 
or  corrections. 

For  practical  reasons  it  may  be  convenient  to  perform  some  of  these  tests  while 
the  installation  is  still  near  a  land-based  site.    The  final  commissioning  and 
start-up  will  of  course  be  performed  after  the  installation  is  towed  out  and 
placed  in  its  correct  position  in  the  field.    The  operator's  acceptance  and 
takeover  of  the  installation  takes  place  when  the  above  is  completed  with  a 
satisfactory  result. 

As  a  part  of  the  total  safety  work  of  the  project,  an  evaluation  of  the 
commissioning  work  itself  is  performed  early  in  this  phase  with  the  aim  of 
revealing  possible  risk  factors  for  personnel  and  equipment,  and  taking  the 
necessary  precautions. 
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Potential  Influence  on  Safety  in  the  Various  Phases 


From  the  above,  it  is  clear  that  the  desiqn  of  the  platform  will  develop 
gradually,  assuming  increasingly  fixed  forms  as  the  work  with  studies  and 
engineering  proceeds.    It  is  thereby  clear  that  the  possibility  of  building 
safety  into  the  product  is  greatest  in  the  early  stages  of  the  project,  especially 
in  feasibility  and  concept  study  phases.    Here,  the  freedom  of  choice  of 
technical  solutions  is  great  regarding  the  type  and  position  of  equipment,  fire 
and  explosion  barriers,  safety  systems,  etc. 

Several  decisions  and  choices  with  safety-related  consequences  are,  as  stated 
above,  made  in  the  early  project  phases.  The  major  premises  for  later  design 
and  safety  analysis  and  evaluations  are  thereby  to  a  large  extent  frozen.  It 
is  therefore  important,  in  the  early  phases,  to  have  access  to  tools  and  aids 
which  enable  as  good  an  assessment  as  possible  to  be  made  of  the  safety-related 
consequences  of  the  decisions  to  be  made,  thus  avoiding  major  design  changes  at 
a  later  stage  and  resulting  delay  and  possible  cost  escalation. 


RISK  ANALYSIS  IN  OFFSHORE  DEVELOPMENT  PROJECTS 

(Extracts  from  the  project  report  with  kind  permission  of  SINTEF.) 

The  use  of  risk  analysis  to  support  safety  management  should  be  consistent  and 
continuous.  The  consistency  that  should  be  achieved,  is  the  iterative  process 
illustrated  in  figure  5. 

From  the  description  of  the  various  phases  of  an  offshore  development  project, 
it  can  be  seen  that  there  are  ten  important  safety  studies  to  be  performed. 
These  studies  are  all  to  be  found  in  the  first  four  phases.    Ten  studies  may 
seem  a  large  number,  but  one  must  notice  that  one  study  is  often  only  a  more 
detailed  version  of  a  study  performed  in  the  previous  phase.    Figure  6  gives  an 
overview  of  the  various  safety  studies,  the  phase  where  it  should  be  performed 
and  the  interrelation  between  the  various  studies. 

A  short  discussion  of  each  study  is  given  in  the  following. 

Phase  1.    Feasibility  Study 

1.     Risk  estimation  of  various  field  concepts. 

Used  as  one  of  the  criteria  for  selecting  field  development  concept.  The 
study  is  of  a  comparative  nature,  and  mainly  based  on  experience  from 
previous  installations  or  studies  made  of  similar  concepts. 

Phase  2.    Concept  Study 

1.     Risk  estimation  of  various  installation  concepts. 

The  study  is  of  a  similar  nature  as  the  previous  one.    It  should  give 
recommendations  regarding  selection  of  platform  type  and  combinations, 
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e.g.,  PDQ,  PQ  +  D,  P  +  D  +  Q,    The  study  is  based  on  more  detailed 

information  than  the  field  concept  risk  estimation.    In  addition  to 
giving  recommendations  with  respect  to  installation  selection,  the  study 
should  evaluate  the  acceptability  of  the  installation  relative  to  authority 
and  company  internal  criteria  given. 

3.  Preliminary  process  and  layout  study. 

The  study  should  be  performed  during  the  concept  design  of  each  platform, 
evaluating  various  designs  and  recommending  layout  modifications. 

4.  Concept  safety  evaluation. 

A  study  of  the  "finalized"  platform  concept,  verifying  that  the  concept 
will  comply  with  authority  safety  criteria  given.    A  principle  of  analysis 
is  recommended  by  the  NPD,  but  methods  to  use  are  for  the  operator  to 
decide. 

Phase  3.  Preengineering 

5.  Hazard  analysis  of  process  and  utility  systems. 

The  study  shall  give  input  to  the  design  of  process  and  utility  systems. 
Typical  type  of  analysis  is  the  HAZOP  (Hazard  and  Operability  Analysis). 
The  study  is  based  on  preliminary  PSJDs  and  should  be  performed  before  the 
design  is  final ized. 

6.  Overall  risk  analysis. 

As  a  basis  for  final  design  of  the  platform,  a  total  safety  evaluation 
should  be  performed.    The  analysis  will  differ  from  the  concept  safety 
evaluation  in  several  ways,  e.g.,  residual  risk  included,  the  installation 
phase  is  included,  the  study  is  based  on  more  detailed  information  and 
will  therefore  be  more  extensive  in  nature. 

Phase  4.    Detail  Engineering 

7.  Detailed  hazard  analysis  of. process  and  utility  systems. 

This  hazard  analysis  is  a  more  detailed  version  of  the  previous  hazard 
analysis.    It  differs  from  the  previous  by  being  more  detailed  and  acting 
more  as  a  safety  audit  of  nearly  finalized  P&IDs. 

8.  Availability  studies  of  safety  systems. 

As  a  basis  for  deciding  whether  the  specified  reliability  features  of 
safety  systems  have  been  achieved,  detailed  studies  of  safety  systems 
are  performed. 
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9.  Updated  overall  risk  analysis. 

This  updated  version  of  the  overall  risk  analysis  will  incorporate  all 
desiqn  changes  made  during  later  preengineerinq  and  early  detail  engi- 
neering. The  results  will,  however,  not  be  easily  incorporated  in  the 
platform  design  due  to  that  most  of  the  design  is  finished. 

10.  Risk  analysis  of  construction  work. 

The  object  to  be  analyzed  in  this  study  is  not  the  platform  during 
operation,  but  during  its  construction.    The  study  will  focus  on 
accidents  during  construction  work  of  the  various  platform  elements, 
hook-up,  tow-out,  and  offshore  construction  work. 
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1.  PREFACE 

The  purpose  of  these  guidelines  is  to  clarify  one  of 
the  main  principles  of  safety  control  of  petroleum 
activities  on  the  Continental  Shelf  The  guidelines 
deal  w  iih  important  aspects  of  the  internal  control 
task  and  with  the  structure  of  the  licensees  organi- 
zation to  handle  this  task 

The  below  mentioned  act  stales  that  the  licensee 
shall  establish  and  maintain  an  internal  control  sys- 
tem which  ensures  that  work  is  planned,  organized 
and  performed  in  accordance  with  the  provisions 
stipulated  in  or  by  virtue  of  the  an. 


THE  FOLLOWING  REFERENCE  IS  GIVEN 
TO  LAWS  AND  REGULATIONS: 

—  Act  relating  to  worker  protection  and  working 
environment  §  1 4  part  I .  (ref  §  4  in  Royal  De- 
cree 1  June  1979  relating  to  regulations  for  wor- 
ker protection  and  working  environment  in 
connection  with  exploration  for  and  exploita- 
tion of  submarine  petroleum  resources) 

—  Regulations  relating  to  safe  practice  for  the  pro- 
duction etc.  the  Roval  Decree  of  9  July  1976  § 
4 

—  Reg  illations  relating  to  safe  practice  etc  in  Exp- 
loration and  drilling  for  submarine  Petroleum 
Resources  the  Roavl  Decree  of  October  3.  1975. 
§  3 

The  internal  control  dun  determines  among  other 
things  that  the  licensee  establishes  a  control  and 
documentation  system  which  shall  ensure  that  the 
requirements  are  met 

The  authorities  supen  ision  does  not  reduce  this  re- 
sponsibility 

Practical  interpretation  to  the  text  in  these  guideli- 
nes are  given  in  italics 


2  DEFINITIONS 

For  the  purpose  of  these  guidelines,  the  following 
means: 

Operations: 

Start-up.  commencement  of  production  drilling, 
production  or  exploitation,  including  the  trans- 
portation of  petroleum  on  such  installations  where 
these  guidelines  are  applicable,  and  also  repair  and 
maintenance  of  such  installations 

Internal  control: 

All  systematic  actions  that  are  necessary  to  ensure 
that  the  activity  is  planned,  organized,  executed  and 
maintained  according  to  requirements  in  and  pur- 
suent  to  laws  and  regulations 

//  is  important  to  notice  that  this  definition  in- 
cludes the  quality  term  (Conformance  with  speci- 
fied requirement)  This  means  that  the  internal 
control  normally  will  be  taken  care  of  by  a  total 
quality  assurance  system  that  shall  ensure  con- 
formance with  the  company  s  o*  n  requirements 
The  requirements  from  the  authorities  to  the 
scope  of  an  internal  control  system  might  thus  be 
•regarded  as  minimum  requirements  to  a  tool 
quality  assurance  system  in  the  company  167 


Safety  includes  here: 

—  Securing  of  human  life  and  health 

—  Protection  of  environment 

—  Securing  of  material  \alues 

Quality: 

A  product  or  a  service's  ability  to  fulfil  specified  re- 
quirements 

Quality  control: 

That  part  of  the  quality  assurance  which  through 
measurements,  tests  or  inspection  ascertain  if  the 
product  or  service  is  in  accordance  with  established 
quality  requirements 

Quality  assurance: 

All  sy  stematic  actions  that  are  necessary  to  ensure 
that  quality  is  planned  obtained  and  maintained 


Licensee: 

A  company,  foundation  or  group  that  holds  a  pe- 
troleum exploration  and  production  licence  A  li- 
censee is  also  any  company,  foundation  or  g'oup 
thai  holds  a  permit  from  the  Ministry  to  locate  and 
operate  installations  associated  with  the  production 
and 'or  exploitation  of  petroleum  pursuant  tc  the 
legislation  in  force  at  any  time 


Verification: 

Confirmation  that  an  activity,  a  product  or  a  ser- 
vice is  in  accordance  with  specified  requirement 

System  audit: 

Planned  and  systematic  review  of  the  company  s 
interna!  control  sy  stems  to  ensure  that  these  are  fol- 
lowed and  maintained  as  specified 

3.  APPLICATION 

These  guidelines  apply  to  the  planning  design 
building,  installation  and  operation  of  production 
installations,  pipeline  systems  and  shipment  instal- 
lations that  are  located  in  a  fixed  position  on  or 
above  the  seabed  or  its  substrata  in  inner  coastal 
Norwegian  waters.  Norwegian  territorial  waters 
and  the  pan  of  the  Continental  Shelf  w  hieh  is  sub- 
ject to  Norwegian  sovereignty  . 
These  guidelines  also  apply  in  areas  outside  the 
Norwegian  pan  of  the  Continental  Shelf  if  such 
application  follows  from  specific  agreement  with  a 
foreign  state  or  from  international  law  The  guideli- 
nes apply  also  to  the  exploration  phase  of  the  acti- 
vities 

4.  THE  SCOPE  OF  THE  INTERNAL  CON- 
TROL RESPONSIBILITY 

Interna]  control  includes  control  and  sy  stematic  ac- 
tions, to  ensure  that  exploration  drilling  planning 
design  building  installation  and  operation  take 
place  in  a  secure  way  persuant  to  legislation  in 
force 

The  internal  control  activity  is  expected  to  be  sum- 
marized in  a  general  description  which  gives  refe- 
rence to  me  re  detailed  descriptions  for  the  different 
parts  of  the  organization  and  different  phases  of  the 
activities 

If  one  company  is  operating  more  than  one  field 
project,  the  description  is  expected  to  cover  the 
company  in  general  hi//i  referance  to  separate 
descriptions  for  each  project 


The  description  of  the  internal  control  activities 
shall  be  binding  for  the  company  internally  and  the 
authorities  externally  The  document  should  high- 
light the  licensees  ow  n  safety  aims 
The  document  must  ensure  distribution  of  possible 
new  revisions 


The  internal  control  shall  cover  all  parts  of  the  or- 
ganization and  all  phases  of  an  activity 


7*is  shall  inter  alia  ensure: 

—  that  comptetent  persons  are  used  during  plan- 
ning construction,  building  installation  and 
operation 

—  that  worker  protection  and  health  personnel 
shall  be  able  to  perform  their  work  according  to 
the  intentions  of  the  law 

—  that  all  employees  and  contractor  personnel  are 
given  necessary  training 

—  thai  a  total  safety  evaluation  is  performed  at  fi- 
nal concept  choice 

—  that  an  analysis  of  the  construction  is  performed 

—  that  systems  are  establish**  for  the  administra- 
tion of  documents  in  all  phases  of  a  project 

—  that  purchasing  documents,  specifications  etc 
contain  sufficient  quality  assurance  require- 
ments 

—  that  control  of  -esponsibuiry  and  communica- 
tionlmes  'interface  control)  are  ensured 


—  that  the  suppliers  quality  assurance  is  assessed, 
accepted  audited  and  verified 


—  that  it  can  be  documemet  (by  test  reports  certifi- 
cates etc)  that  the  supply  has  an  acceptable  qua- 
lity 

—  that  satisfactory  operating  programmes  (for  ex- 
ample programme  for  drilling,  start-up.  produc- 
tion and  programmes  for  simultaneously  activi- 
ties inspection  and  testing,  maintenance  etc>  are 
made  and  followed 

—  that  temporary  equipment  may  be  installed  and 
operated  in  a  secure  way  and  persuant  to  estab- 
lished requirements 

—  that  quality  control  during  the  operation  func- 
tions effectively 

—  that  corrective  actions  take  place  w  hen  the  qua- 
lity control  indicates  deviation  from  established 
quality  requirements 

—  that  specifications  for  repair  are  established  and 
that  the  specificaions  give  sufficient  support  for 
—  and  sufficient  requirements  to  —  the  execu- 
tion 

—  that  modification  for  repair  the  orginalK  speci- 
fied safety  level 


—  that  procedures  are  performed  in  such  a  way 
that  the  safet\  is  taken  care  of  even  if  the  pro- 
duction installation  must  be  operated  in  a  not 
predetermined  way 

—  that  the  safet>  of  the  installation  also  is  ensured 
throughout  work  conflicts  and  irregular  shut 
dow  n  of  production 

—  that  necessary  actions  take  place  and  involved 
authorities  are  informed  if  abnormal  incidents 
or  accidents  should  occure 

—  that  information  and  documentation  are  presen- 
ted on  time  for  the  authorities  in  accordance 
with  laws,  regulations  and  guidelines 

These  examples  are  not  a  comprehensive  list  of 
what  the  licensee's  internal  control!  shall  contain 
but  highlights  some  areas  that  should  be  given  spe- 
cal  attention 

it  is  of  imparlance  thai  the  licensee  does  e-aluntt 
*hich  areas  thai  are  ce\tred  through  <\orrr.al  in- 
ternal routines  and  also  areas  whtre  special  ef- 
forts are  required  It  must  also  be  possible  to  con- 
tinously  update  the  internal  control  system 


5.  ADMINISTRATION  OF  THE  INTERNAL 
CONTROL 

The  licensees  organization  shall  be  structured  in 
such  a  w  a>  that  it  is  possible  to  observe  the  provi- 
sions stipulated  in  or  b\  viture  of  the  legislation  in 
force 

To  ensure  the  miended  function  of  the  internal  con- 
trol, the  organization  plans  shall  include  and 'or 
describe  the  function  and  the  position  of  personnel 
that  shall  supervise  internal  control  and  their  duties 
and  responsibilities  in  that  connection 


General  responsibility  and  supervision  of  the  in- 
ternal control  is  expected  to  be  delegated  to  a  spe- 
cial unit  in  the  licensees  organization  This  unit 
must  have  the  necessary  organizational  freedom  to 
execute  supervision  with  all  relevant  control  sys- 
tems and  to  perform  system  audit 

Necessary  organizational  freed 'm  will  normally 
mean  that  this  function  should  be  excluded  from 
operational  responsibility  and  should  have  the 
possibility  to  report  to  a  higher  organizational  le- 
vel than  the  ones  this  unit  superv  ises 

It  is  emphasized  that  this  responsibility  not  shall 
be  in  conflict  *  ith  the  free  and  independent  posi- 
tion that  worker  protection  and  health  personnel 
shall  have  according  to  the  law  The  internal  con- 
trol system  shall  ensure  the  integrity  of  these 
functions  also  » ith  respect  to  organizational  free- 
dom 

It  must  however  be  clearly  understood  that  it  is 
the  personnel  performing  the  work  that  shall  en- 
sure the  execution  of  their  duties  in  accordance  w  it 
existing  requirements 


The  licensee  must  specify  the  requirement*,  to  in- 
dependency in  the  verification  on  different  suble- 
vels  in  the  internal  control  system 
This  will  depend  on  the  complexity  and  kind  of 
the  different  activities  and  availability  of  internal 
resources  in  the  licensee's  organisation 

The  general  description  of  the  internal  control  shall 
be  presented  to  the  Sor*egian  Petroleum  Directo- 
rate Detailed  descriptions  shall  be  submitted  at  an 
agreed  time 

6.  REFERENCE  DOCUMENTS 

As  quality  assurance  is  regarded  as  a  key  element 
in  internal  control  the  following  documents  could 
be  used  as  a  general  guidance  and  also  guidance 
within  different  areas  in  a  control  system 


ANSI  Z- 1  15  1979  Generic  guidelines  for  quality 
systems 

ANSI  N18  7  )976  Administrative  controls  and  qu- 
ality assurance  for  the  operational  phase  of  nuclear 
pouer  plants 

NS  5801.  5802.  580?  Requirements  for  the  con- 
tractors quality  assurance  with  included  reference 
documents 

BS-5750.  1 9^9  Qualitv  systems  Pan  1  Specifica- 
tion for  design  manufacture  and  installation 
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2.1.3  The  intention  of  the  guidelines  is  to  express 
the  Norw  egian  Petroleum  Directorate's  gen- 
eral attitude  to  the  problem  area  and  to  indi- 
cate how  the  safety  aspects  can  be  handled  at 
an  early  stage  of  design 
The  guidelines  should  not  preclude  the  use 
of  alternative  methods  for  the  safety  evalua- 
tions. 


2.2    Approval  procedure 

2.2.1  Approval  procedures  given  by  the  Norwe- 
gian Petroleum  Directorate  are  summarized 
in  « Procedures  for  official  approval  of  pro- 
duction facilities,  pipeline  systems  and  ship- 
ment facilities  on  the  Norwegian  Continental 
Shelf)). 

2.2.2  The  approval  procedures  assumes  that  the  li- 
censee, after  receiving  the  necessary  permits 
of  Field  Development  from  the  Department 
of  Oil  and  Energy  ,  will  present  a  general  de- 
velopment plan.  (Main  Plan)  to  the  Norwe- 
gian Petroleum  Directorate. 

2.2.3  A  safety  evaluation  of  the  platform  concept 
should  be  contained  in  the  general  develop- 
ment plan  As  soon  as  possible  after  recei- 
ving approval  of  the  Field  Development 
Plan,  the  licensee  should  ascertain  to  what 
extent  the  guidelines  are  applicable 


I.  DEFINITIONS 

—  Platform  conceptual  design  —  a  general 
description  of  the  platform,  such  as 

—  function  and  operation 

—  relative  location  of  the  various  pri- 
mary and  service  facilities 

—  escape  routes,  shelter  areas  and  evacu- 
ation systems 

—  primary  load-bearing  structures 

—  the  most  important  active  and  passive 
measures  to  reduce  the  probability'  of 
occurence  and  the  consequences  of  ac- 
cidents 

—  Accident  —  an  unwanted  incident  or 
condition  which  is  not  assumed  to  occur 
during  normal  operation,  and  which  can 
cause  significant  damage  unless  it  is  taken 
into  consideration  during  design. 

—  Accidental  event  —  as  accident  in  combi- 
nation with  other  conditions  (e  g  weath- 
er conditions)  which  may  affect  the  acci- 
dental effect. 

—  Design  accidental  event  —  accidental 
event  which  is  the  basis  for  the  design 
evaluation  to  satisfy  the  acceptance  crite- 
ria outlined  in  chapter  5. 

—  Design  accidental  effect  —  effect  of  the 
design  accidental  event  expressed  in 
terms  of  heat  flux  impact  force  and 
energy  acceleration,  etc  which  is  the 
basis  for  the  safety  evaluations 

—  Shelter  area  —  area  on  or  outside  the 
platform  w  here  the  crew  w  ill  remain  safe 
during  an  accidental  event 

—  Active  protection  —  operational  actions 
and  mechanical  equipment  which  are 
brought  into  operation  when  an  accident 
is  threatening  or  after  the  accident  has  oc- 
cured.  in  order  to  limit  the  probability  of 
the  accident  or  the  effects  thereof  Some 
examples  of  this  are  safety  valves,  shut 
down  systems,  water  drenching  systems, 
working  procedures,  drills  for  coping 
with  accidents,  etc 

—  Passive  protection  —  protection  against 
damage,  by  means  of  distance,  location, 
strength  and  durability  of  structural  ele- 
ments 


2.      PURPOSE  AND  APPLICATION 
2.1  Purpose 

2.1.1  The  purpose  of  this  document  is  to  give 
guidance  for  execution  of  safety  evaluations 
of  installations  or  groups  of  installations,  as 
required  by  the  Norwegian  Petroleum  Direc- 
torate to  be  included  in  the  Main  Plan  (see 
section  2.2  1). 


2.1  2  The  document  gives  guidance  with  respect 

tt>: 

—  extent  of  documentation 

—  method  for  performing  the  analysis 

—  criteria  for  acceptable  safety 


2.3  Application 

2.3.1  These  guidelines  should  only  be  used  for 
safety  evaluations  and  analysis  of  the  plat- 
form as  completed  in  the  operation  phase 
The  operation  phase  is  here  defined  as  the 
stage  where  the  Norwegian  Petroleum  Di- 
rectorate have  approved  the  platform  for 
drilling,  production  or  use  of  the  living  quar- 
ter Installations  w  hich  are  normalh  unman- 
ned and  with  minor  pollution  potential  will 
not  normally  be  evaluated  according  to  these 
guidelines. 

2.3.2  It  is  assumed  that  the  design,  construction, 
operation  and  maintenance  of  the  platform 
will  meet  all  prevailing  regulations 

3.  DOCUMENTATION 

As  a  basis  for  the  safety  evaluation  the  li- 
censee should  submit  the  following  informa- 
tion: 

—  description  of  the  platform  environment 

—  description  of  the  platform  function  and 
operation 

—  Layout  drawings  showing  the  arrange- 
ment and  location  of  the  most  important 
functions  Special  attention  should  be 
paid  to  the  location  of  activities  and 
equipment  with  significant  damage  po- 
tential, in  addition  to  living  quarters, 
escape  ways,  shelter  areas  and  evacuation 
systems. 

—  main  load -carrying  structural  systems 


172 


—  description  of  the  important  measures  in- 
corporated to  reduce  the  probability  of 
accidents 

—  description  of  measures  incorporated  to 
reduce  the  consequences  of  accidents 

—  description  of  evacuation  systems 

—  description  of  safety  related  new  technol- 
ogy and  innovations  planned  to  be  used 

—  specified  accidental  events  will  corre- 
sponding design  accidental  effects  on 
parts  of  the  platform  described  later  in 
these  guidelines 

—  an  analysis  showing  that  the  concequen- 
ces  of  a  design  accidental  effect  comply 
with  the  acceptance  criteria  outlined  in 
this  document. 


4  .1.4  The  accidents  mentioned  in  section  4  ]  3 
may  follow  from  primary  failures  for  ex- 
ample blow-outs,  fracture  in  riser  pipes  etc 
These  primary  failures  do  not  require  indi- 
vidual consideration  as  long  as  the  resulting 
effect  is  accounted  for  as  an  accident  under 
section  4  13. 


4.1.5  The  analysis  presupposes  that  a  platform 
concept  has  been  decided  b>  the  licensee  On 
this  basis,  a  set  of  design  accidental  events 
with  corresponding  effects  should  be  speci- 
fied, based  on  the  content  of  section  4  2  Any 
reduction  in  accidental  effect,  or  in  the  prob- 
ability thereof,  due  to  active  protective  mea- 
sures, may  be  considered 


4.      SAFETY  EVALUATION  METHODS 


4.1     Principles  of  the  evaluation 

4  I  1  Safety  ev  aluations  of  the  type  described  in 
this  document  should  be  carried  out  at  a  su- 
perior system  level  It  is  presupposed  that  the 
licensee  has  chosen  a  concept  solution 
favourable  to  himself,  which  satisfies  general 
safety  criteria  The  intention  is  only  to  verify 
at  an  early  stage  that  the  concept  chosen  by 
the  licensee  will  result  in  an  acceptable  in- 
stallation and  that  no  major  changes  during 
the  design  and  construction  phases  will  be 
necessary  because  of  safety  requirements 
The  aim  of  the  safety  evaluation  is  to  estab- 
lish acceptable  safety  in  compliance  with  giv- 
en criteria  The  intention  is  not  to  include 
calculation  of  residual  risk  (i  e  probability 
and  consequences  of  accidents  which  still 
may  occur). 


4  12  Safety  evaluations  as  outlined  in  this  docu- 
ment should  verify  a  sufficiently  low  proba- 
bility of  loss  of  human  life,  high  material 
damage  and  unacceptable  environmental 
pollution  as  a  consequense  of  the  accident. 
An  installation,  when  evaluated  in  the  con- 
cept phase,  may  be  deemed  adequately  safe  if 
it  meets  the  acceptance  criteria  given  in  these 
guidelines 


4.1.3  The  following  types  of  accidents  should  be 
evaluated  where  relevant: 

—  blow-out 

—  fire 

—  explosion  and  similar  incidents 

—  falling  objects 

—  ship  and  helicopter  collisions 

—  eartquakes 

—  other  possible  relevant  types  of  accidents 

—  extreme  weather  conditions 

—  relevant  combinations  of  these  accidents 
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4  1b  The  licensee  shall  ensure  that  the  platform 
will  satisfy  acceptance  criteria  gjven  in  chap- 
ter 5  when  exposed  to  the  design  accidental 
effect  Any  passive  protective  measures 
should  be  considered  Strength  calculations 
may  comply  with  the  Norwegian  Petrole-m 
Directorate's  "Regulations  for  the  sf  ucturaJ 
design  of  fixed  structures  on  the  Norw  egian 
Continental  Shelf» 


4.2     Design  accidental  events 

4.2  1  For  the  sections  of  the  platform  that  are  rele- 
vant to  the  acceptance  criteria  outlined  in 
chapter  5.  the  licensee  should  specif >  a  set  of 
design  accidental  events  In  pnnciple  the  de- 
sign accidental  events  shall  be  the  most  unfa 
vourable  situations  relative  to  the  accep'^nce 
criteria 


4.2  2  In  practial  terms,  it  may  be  considered  neces- 
sary to  exclude  the  most  improbable  acciden- 
tal events  from  the  analysis  However  the 
total  probability  of  occurence  of  each  r\-pe  of 
excluded  situation  (see  4  1  3)  should  not  b> 
best  available  estimate,  exceed  10  '  per  year 
for  any  of  the  main  functions  specified  in 
5.2.  5  5  and  5.6 

This  number  is  meant  to  indicate  the  magni- 
tude of  aim  for,  as  detailed  calculations  of 
probabilities  in  many  cases  will  be  impos- 
sible due  to  lack  of  relevant  data 

4.2.3  Based  on  the  design  accidental  events  the  li- 
censee should  specify  a  set  of  design  acciden- 
tal effects  for  sections  of  the  platform  rele- 
vant to  acceptance  criteria  outlined  on  chap- 
ter 5  Design  accidental  effects  will  normally 
be  expressed  in  the  following  terms 

—  heat  flux  and  duration 

—  impact  pressure,  impulse  or  energy 

—  acceleration 


4.2.4  When  assessing  the  potential  damage  partic- 
ular attention  should  be  paid  to  the  reliability 
of  equipment,  any  active  protection  measu- 
res and  monitoring  systems 


4.2  5  The  Norw  egian  Petroleum  Directorate  do 
not  require  a  detailed  analysis  documenta- 
tion for  specified  design  accidental  events 
and  effects  An  engineering  approach  based 
on  evaluation  of  actual  damage  potential,  ex- 
perience, possible  historical  data,  and  relia- 
bility data  for  the  systems  will  normally  be 
sufficient  However,  if  the  Norwegian  Petro- 
leum Directorate  consider  the  specified  acci- 
dental effects  to  be  unreasonable,  further 
clarification  and  justification  of  the  values 
ma\  be  required  in  the  detailed  design  phase 


5.      ACCEPTANCE  CRITERIA 

5.1  The  platform  design  must  be  such  that  a  de- 
sign accidental  event  does  not  impose  a 
danger  to  personel!  outside  the  immediate  vi- 
cinity of  the  accident 

5.2  Section  5.1  can  be  considered  satisfied  by 
complying  with  the  following  three  criteria 

a)  at  least  one  escape  way  from  centra!  posi- 
tions which  may  be  subjected  to  an  acci- 
dent, shall  normally  be  intact  for  at  least 
one  hour  during  a  design  accidental  event 

b)  shelter  areas  shall  be  intact  during  a  cal- 
culated accidental  event  until  safe  evacua- 
tion is  possible 

c>  depending  on  the  platform  ty  pe  function 
and  location,  when  exposed  to  the  design 
accidental  event,  the  main  support  struc- 
ture must  maintain  its  load  carrying  ca- 
pacit\  for  a  specified  time 


5.3  If  external  protection  measures  (eg  fire 
fighting  ships  etc  )  are  necessary  to  satisfy 
section  5  2  then  these  shall  be  assumed  to  be 
ineffective  if  not  documented  otherwise  un- 
til 4  hours  after  the  start  of  the  design  acci- 
dental event 

5.4  Any  important  safety -related  control  func- 
tions are  assumed  to  be  located  in  a  shelter 
area 

5.5  Areas  where  the  accidental  event  could  con- 
tinue for  a  considerable  period  of  time,  (for 
example,  wellhead  area),  should  be  located 
to  ensure  that  continuous  effective  measures 
can  be  carried  out  during  the  calculated 
event 

5  6  In  case  of  a  «blow-out»  of  wellheacKs)  the 
platform  shall  be  designed  so  that  identifica- 
tion of  which  wellheacKs)  are  out  of  control 
is  possible  This  should  be  possible  before  as 
well  as  after  evacuation  of  the  platform 
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3.  Survey  of  the  project  results 

The  main  chapters  in  the  final  report  are: 

1.  Introduction. 

Showing  how  the  project  was  carried  out  and  what  the 
results  are. 

2.  Main  structure  of  a  field  development  project. 

The  phases  of  the  project,  specifying  milestones,  parti- 
cipants, tasks  and  documents  for  each  phase  are  descri- 
bed. Special  emphasis  is  put  on  safety  activities  and 
safety  documents. 

3.  Safety  management  in  projects. 

Survey  of  safety  management.  What^^how,  describing 
purpose,  content,  role  in  the  total  project  management, 
relation  to  quality  assurance,  etc. 

4.  Safety  objectives  and  safety  requirements. 

The  establishment  of  safety  objectives,  acceptance  crit- 
eria, design  requirements  and  design  documents  is  de- 
scribed. The  connection  between  them  and  the  influence 
on  them  of  regulations  and  interna]  company  require- 
ments is  discussed  together  with  the  role  of  the  safety 
analyses  in  this  process. 

5.  Safety  program. 

Description  of  purpose,  content  and  use  of  the  safety 
program  in  practical  safety  management.  It  is  a  tool  in 
systematic  planning  and  the  evalutation  of  safety  of  an 
installation. 

6.  Phase  models 

These  are  the  main  descriptions  of  the  project  model, 
showing  activities,  documents,  decisions  and  which  par- 
ticipants are  active  in  each  phase.  The  safety  activities 
and  control  entities  are  indicated  in  these  descriptions. 
The  descriptions  encompass: 

—  a  survey  of  all  project  phases  and  the  relations  between 
them 

—  description  of  each  phase 

7.  Safety  analyses 

A  collective  survey  of  10  important  analyses  which  may 
be  made  in  a  project. 

8.  Control  entities 

The  documents  on  which  it  is  important  to  concentrate 
management  are  here  described. 

9.  Organization  of  safety  activities 

This  includes 


10.  Using  the  model 

A  discussion  is  presented  with  proposals  as  to  how  the 
project  model  for  safety  management  can  be  used 

—  in  companies 

—  in  projects 

—  in  education  ,OA 
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SUMMARY  COMMENTS  ON  APPLICATION  AND  LIMITATIONS 
OF  RISK  ANALYSIS  IN 
OFFSHORE  EXPLORATION  AND  PRODUCTION 


by 

Struan  Simpson,  E&P  Forum 


Early  in  1981  the  Oil  Industry  International  Exploration  and  Production  Forum 
(E&P  Forum)  initiated  a  proqram  to  study  the  relevance  of  risk  analysis  in 
offshore  operations.    Risk  analysis,  as  defined  in  the  program,  refers  to  the 
use  of  formalized  techniques  such  as  failure  modes  and  effects  analysis,  Fault 
and  Event  Tree  analyses,  etc.,  and  may  include  quantitative  estimates  of  risk 
probabil ities. 

The  program  to  date  has  included  a  survey  of  current  methodology  and  typical 
applications  in  offshore  engineering  projects.    Data  were  obtained  from  16 
major  companies  and  168  projects  were  identified.    The  results  of  the  survey 
indicated  that  risk  analysis  techniques  have  been  used  in  a  wide  ranqe  of 
projects  and  at  various  levels  of  manpower  commitment.    Projects  include,  for 
example,  structures,  drill inq,  production,  and  product  transportation.  Studies 
were  carried  out  at  a  variety  of  stages  of  project  development  (feasibility, 
desiqn,  construction,  commissioning  and  operations).    The  survey  also  indicated 
that  the  purposes  for  conducting  these  analyses  covered  a  wide  range  and  extended 
from  assisting  the  engineering  design  function  to  providing  safety  evaluations 
for  project  management  and  statutory  agencies. 

The  number  of  projects  reported  and  the  published  literature  clearly  indicate 
that  the  offshore  industry  assigns  a  positive  value  to  risk  analysis  techniques. 
It  is  evident,  however,  that  they  are  used  as  supplementary  aids  to  the  primary 
engineering  and  management  processes  as  distinct  from  primary  design  or  decision- 
making tools.    It  is  also  evident  that  risk  analysis  offers  no  inherent  advantage 
in  hazard  identification  over  conventional  practices  and  reviews,  i.e.,  if  the 
basic  engineering  design  model  and  considerations  do  not  include  identification 
of  a  given  hazard,  then  the  risk  analysis  cannot  identify  it.    Risk  analyses 
reported  in  the  survey  were  supplements  to  and  not  replacements  for  conventional 
engineering  and  management  practices. 

The  major  supplement  provided  by  risk  analysis  to  conventional  practices  lies 
in  formalized  procedures  for  hazard  and  risk  identification  and  in  a  statistical 
measure  of  the  risk.    Used  skillfully,  risk  analyses  can  assist  in  clarifying 
perceptions  of  risks  and  their  relative  importance.    However,  the  statistical 
measure,  in  most  cases,  must  be  treated  as  a  subjective  one  because  of  the 
uncertainties  in  modeling  the  operation  and  the  difficulty  in  developing 
applicable  data.    A  high  degree  of  caution,  judgement,  and  experience  should  be 
used  in  interpreting  and  applying  the  statistical  results. 

The  present  phase  of  the  E&P  Forum  program  has  not  substantially  addressed 
the  overall  impact  of  risk  analysis  on  exploration  and  production  projects. 
This  measure  of  the  relevance  of  risk  analysis  to  offshore  operations  is  an 
important  one  for  future  consideration. 
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OREDA  -  OFFSHORE  RELIABILITY  DATA 


A  EUROPEAN  APPROACH  TO  RELIABILITY  DATA  COLLECTION  OFFSHORE 

by 

Torkell  Gjerstad,  Elf  Aquitaine  Norqe  A/S 
OREDA  Steering  Committee  Chairman 


Summary: 

Seven  oil  companies  operatinq  out  of  Norway  have  joined  a  pro.iect  with  the 
objective  of  publishing  a  reliability  data  reference  for  offshore  safety, 
drilling,  and  production  systems.    Experience  data  are  beinq  collected  within 
the  participatinq  companies,  and  the  total  experience  will  be  presented  in  a 
handbook  as  qeneric  reliability  data.    The  plan  is  to  publish  the  handbook 
within  1984. 

1.  PRE-PROJECT 

The  idea  to  the  OREDA  Project  was  presented  in  1980.    At  that  time  The 
Norweqian  Petroleum  Directorate  was  carry inq  out  a  study  called  "collection, 
storing  and  processinq  of  data."    A  number  of  reliability  data  bank  concepts 
would  be  to  work  out  a  reliability  data  handbook.    This  handbook  should  be 
based  on  the  experience  and  information  which  already  were  existing  within  the 
operating  companies.    The  concept  of  putting  up  a  centralized  data  bank  which 
initially  had  to  be  fed  with  inventory  information,  and  to  which  the  operating 
companies  were  to  report  malfunctions  and  failures,  was  thus  rejected. 

The  idea  of  putting  together  a  handbook  was  further  developed  to  a  pre-project 
sponsored  by  the  Norwegian  Petroleum  Directorate  and  later  on  by  the  Safety 
Offshore  Program.    A  number  of  case  studies  were  undertaken  within  operating 
companies,  and  it  was  demonstrated  that  the  quality  of  maintenance,  test  and 
Inspection  records  was  satisfactory  as  a  basis  for  reliability  parameter 
calculations. 

2.  CONFIDENTIALITY 

Extensive  efforts  were  put  into  designing  the  project  organization  in  a  way 
which  would  ensure  an  acceptable  level  of  confidentiality  for  the  companies 
which  would  join  the  project.    A  number  of  operators  had  by  now  expressed  an 
interest  in  OREDA,  and  did  actively  contribute  to  find  a  satisfactory  solution 
to  this  problem.    The  main  contract  for  OREDA  was  placed  with  Det  norske  Veritas, 
with  the  responsibility  for  administration,  method  development  and  production 
of  the  handbook.    Each  participating  company  was  given  the  choice  to  select 
themselves  the  subcontractor  responsible  for  the  data  collection  and  processing 
within  the  company.    Only  generic  data  will  be  handed  over  to  the  main  contractor 
for  merging  of  data  from  the  different  participants  and  eventually  input  to  the 
handbook.    Such  a  project  organization  requires  a  link  between  the  main  contractor 
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and  the  various  participants,  in  order  to  be  able  to  trace  data  inputs  back  to 
the  source  when  the  need  for  checking  and  additional  information  arises.  In 
the  OREDA  Project,  this  link  is  provided  by  the  Project  Steering  Committee. 

3.  COLLABORATION 

During  1983  seven  operating  companies  joined  OREDA: 

-  Norsk  AGIP  A/S 

-  BP  Petroleum  Development  Ltd.,  Norway 
-Elf  Aquitaine  Norqe  A/S 

-  Norsk  Hydro  A/S 

-  A/S  Norske  Shell 

-  Statoil ,  Den  norske  Stats  Oljeselskap  A/S 

-  Total  Oil  Marine 

The  OREDA  budget  is  US$  54.000,  paid  through  equal  shares  by  the  participants. 
The  OREDA  Project  today  is  an  exclusive  industry  project,  with  no  involvement 
from  the  Norweqian  Authorities.    It  is  a  2-year  project  planned  to  be  finished 
by  the  end  of  1984. 

Data  are  collected  from  the  Norwegian  and  British  sector  of  the  North  Sea  and 
from  the  Adriatic  Sea.    The  OREDA  participants  benefit  from  the  project  in  many 
ways.    An  extensive  amount  of  experience  data  are  being  collected  and  processed 
internally  within  the  company.    This  site  specific  information,  including 
failure  histories  of  the  various  systems,  will  remain  within  the  company.  Only 
anonymous  information  is  being  put  forward  to  the  main  contractor  for  inclusion 
in  the  handbook.    Being  involved  in  the  project,  each  participant  will  have  the 
opportunity  to  compare  their  own  past  experience  with  that  of  other  operating 
companies.    Finally,  the  whole  offshore  industry  will  gain  from  the  publication 
of  this  handbook,  which  we  believe  will  become  a  standard  reference  for  risk 
and  reliability  studies  of  offshore  installations. 

4.  THE  HANDBOOK 

The  OREDA  Project  covers  a  wide  range  of  components  and  systems.    The  handbook 
is  expected  to  present  reliability  data  on  approximately  150  different  items. 
The  following  main  areas  will  be  included: 

1.    Safety  Systems 

1.1  Gas  and  Fire  Protection 

1.2  Process  Sensors 

1.3  Firefighting  Systems 

1.4  Emergency  Shut-down  Systems 

1.5  Pressure  Relieving  Systems 

1.6  General  Alarm  and  PA  Systems 

1.7  Evacuation  Systems 
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2.    Process  Systems 


2.1  Vessels 

2.2  Valves 

2.3  Pumps 

2.4  Heat  Exchangers 

2.5  Compressors 

2.6  Pig  Launching/Receiving  Systems 

3.  Electrical  Systems 

3.1  Power  Generation 

3.2  Power  Conditioning 

3.3  Power  Protection 

3.4  Control  Instrumentation 

4.  Utility  Systems 

4.1  Slop  and  Drain  Systems 

4.2  Ventilation  and  Heating  Systems 

4.3  Hydraulic  PA  Supply  Systems 

4.4  Pneumatic  Power  Supply  Systems 

5.  Drain  Systems 

6.  Drilling  Equipment 

6.1  Drawworks 

6.2  Hoisting  Equipment 

6.3  Diverter  Systems 

6.4  Drill ing  Riser 

6.5  BOP  Systems 

6.6  Mud  Systems 

The  data  will  be  presented  in  the  handbook  in  terms  of  failure  rates  and  on 
demand  failure  probabilities,  with  an  associated  failure  mode  distribution. 
Additional  information  concerning  the  operating  environment,  test  interval, 
etc.,  will  be  given  with  each  data  sheet.    An  indication  of  the  variations  in 
the  data  inputs  will  also  be  included.    The  plan  is  to  publish  the  OREDA  handbook 
and  get  as  wide  circulation  of  it  as  possible. 

Risk  and  reliability  studies  of  offshore  installations  have  in  the  past  to  a 
great  extent  been  based  on  reliability  data  input  from  other  industries, 
primarily  from  the  process  and  nuclear  power  industry.    There  is  today  a  growing 
application  of  such  studies  offshore,  and  the  OREDA  handbook  will  give  a 
significant  contribution  to  improving  the  quality  of  this  work. 
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Further  details  on  the  publishing  of  the  OREDA  handbook  may  be  obtained  from: 

The  OREDA  Project 
A/S  Yeritec 
P.O.  Box  300 
N-1322  HOVIK 
NORWAY 

Tel:    02  -  129900 
Tlx:    76192  YERIT  N 
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